Issue metadata
Sign in to add a comment
|
Exploit on latest Chrome allows websites to hijack tab and prevent user from exiting said page.
Reported by
bced...@gmail.com,
May 18 2017
|
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3100.2 Safari/537.36 Steps to reproduce the problem: 1. Encounter the malicious (scam-oriented) page, in my case it was: https://ge-mz-26.s3.amazonaws.com/dfgbv/ts-chrome-engnew24/index.htm?n=085-888-3252 2. Notice how you can never exit the tab and return to normal browser operation, the popup keeps forcing itself onto the user. If you try to tick 'Dont allow this page to show populs/dialog msg's', it seems the exploited page is able to remove the tickbox and send you right into Fullscreen instead; that is suspected to be part of its workaround to prevent user going through with it. 3. What is the expected behavior? The user should be able to cease displaying scam pages or spam tabs, without the site preventing this and breaking normal usage of Chrome browser. When this happens, you got no option but to stay staring at said tab. What went wrong? The URL I was at, demonstrated the ability to: 1) prevent switching to other active tabs 2) prevent closing scam/spam page 3) prevent user ticking the anti-dialogue popup option or atleast null the consequence 4) Essentially freeze the whole browser's potential to staying on said scam/spam page, unless user closes the browser. (personally I managed to exit by appending the URL to add view-source:. ) Did this work before? Yes Chrome version: 60.0.3100.2 Channel: dev OS Version: 10.0 Flash Version: Shockwave Flash 26.0 r0 I took a video from it happening incase the URL goes away or if it was to be uniquely generated. I also got source-code of the page which I will add as attachment; this can help identifying the exploit this site uses to glitch out and take over Chrome control. Source of said page URL from repro 1), is attached to ticket as Malsource.txt I will be adding the video ASAP, within 20 minutes from now using YouTube.
,
May 18 2017
I also got a second video of another exploit I didnt clarify yet; this scam page, SPOOFING the URL of a real Microsoft page. See, https://www.youtube.com/watch?v=3jF4OvKZ-gE for that. In address bar, green security 'safe' certificate shows on Russian Microsoft page, while infact you still see the scam page with scam phone numbers from these spammers/fake Microsoft support line. it seems to alternate/flicker inbetween the Amazon URL and Microsoft russia page, maybe they intended it always be covered by real Microsoft URL so it looks legit, but ended them up sometimes loading with Amazon scam URL visible.. after a while suddenly popped backto Amazon URL.
,
May 18 2017
I've reported the URL in #0 to SafeBrowsing for blocking. I don't have any problems navigating away from this page in Chrome 60.3103, but it is considerably more difficult in Chrome 58. It's possible that one of the changes/experiments in Issue 629964 is helping me out here. Importantly, the user need not click "OK" in the alert box anymore (dialogs are no longer application modal). The faked browser Chrome at the top of the window is just a static screenshot which is shown if/when the malicious page is allowed to go full-screen. The attackers didn't bother to update the code, so it's showing a very old Chrome UI (circa Chrome 40) instead of the current Material design UI. I don't think there's anything else we need to do here from a Chrome Security point-of-view; this looks like a run-of-the-mill social-engineering site.
,
May 18 2017
based on #3 closing as WontFix. Also the URL has been reported.
,
Jun 27 2017
,
Aug 25 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by bced...@gmail.com
, May 18 2017