Issue metadata
Sign in to add a comment
|
Possible MitM vector?
Reported by
lucas.m....@gmail.com,
Jul 27 2017
|
||||||||||||||||||||||||
Issue descriptionChrome Version : 59.0.3071.115 OS Version: 6.1 (Windows 7, Windows Server 2008 R2) URLs (if applicable) : https://cmom.cplex.io Other browsers tested: FireFox 54.0.1, IE 11 What steps will reproduce the problem? 1. Visit the url https://cmom.cplex.io 2. Observe that you are redirected to https://advengr.cplex.me/ What is the expected result? Failed certificate verification What happens instead of that? Redirection. Please provide any additional information below. Attach a screenshot if possible. It seems like this could be used in a sneaky way to MitM people, but I haven't thought too deeply about it. UserAgentString: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
,
Jul 27 2017
,
Jul 27 2017
Tested on Chrome Stable #60.0.3112.78 & Canary #62.0.3167.0 on Windows 7 and was redirected to login page of the same URL ‘https://cmom.cplex.io/ '. Attached the screen-cast for reference. Steps followed: 1. Entered the mentioned URL ‘https://cmom.cplex.io/ ‘. 2. ‘Your connection is not private’ error is displayed. 3. Click on ‘Advanced’ link. 4. Click on the link ‘Proceed to cmom.cplex.io (unsafe)’. 5. User is redirected further to enter login credentials. @lucas.m.green -- Could you please follow the above steps and enter respective credentials. If you still face issues, please provide us login credentials to investigate the issue further. Please let us know if we have missed anything. Thanks in advance.
,
Jul 27 2017
Emily: Does the interstitial redirect work code work across eTLDs? Might this explain it? To the reporter: Can you include the list of variations listed when you load chrome://version ?
,
Jul 28 2017
Per comment 1, it sounds like this is due to previously clicking through a certificate error, so it's WAI. (Re comment 4, the interstitial redirect is only for hostnames that differ by a 'www' prefix, so it shouldn't come into play here.)
,
Jul 28 2017
D'oh, I missed Comment 1 somehow. Sorry for the noise.
,
Jul 28 2017
No problem, I missed it on the first 3 readings as well :) |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by lucas.m....@gmail.com
, Jul 27 2017