New issue
Advanced search Search tips

Issue 754235 link

Starred by 2 users
Status: Duplicate
Merged: issue 730638
Owner: ----
Closed: Aug 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Chrome URL spoofing with serveral functions

Reported by ma7h1a...@gmail.com, Aug 10 2017 
Chrome URL spoofing with serveral functions
2017.8.10


AFFECTED PRODUCTS
--------------------
chrome 59.0.3071.115


DESCRIPTION
--------------------
this attack shows that if target site use any function like alert/prompt/confirm
we could spoofing to it.
when test on firefox , it set content of document to null at once.

1.attacker's website is 127.0.0.1
2.the target site is www.math1as.com
3.do not need any user gesture (click is just for test)

:) i am to lazy to find a google site for test , so test on my own server
but https://newsstand.google.com/ shows there must be many websites like this
as u can see it use alert function , but could not exploit because of time-out

PoC
--------------------
poc.html put in local httpserver
attack.gif shows how to make this attack

SOLUTION
--------------------
if chrome redirect to another website,please set the document content to null before load the page like what firefox do.


CREDIT
--------------------
This vulnerability was discovered by mathiaswu of Tencent's Xuanwu Lab.
poc.html
464 bytes View Download
attack.gif
3.7 MB View Download

Comment 1 by kenrb@chromium.org, Aug 10 2017 

Thanks for the report, but I might not be entirely understanding the spoof claim. So far the behavior looks basically correct to me.

I think you are pointing out that the URL on the original page updates, but the original (spoof) content doesn't immediately disappear, because of the modal popup. In fact, the original Document has been unloaded, the new page doesn't visually show yet. Is your suggestion that the brief time that you see the original page content with the math1as.com URL would convince people that the about:blank popup is authentic?

There is a security/usability trade-off we made that allows the old (unloaded) page to remain on the screen for 4 seconds to wait for the new page to paint, and after that time it blanks to white.

If you search our security bug history, you could probably find more effective ways to prevent the new page from painting even after it has finished loading. The 4-second timer should still blank it.

Please let me know if there is any aspect to this that I am not seeing.

Comment 2 by elawrence@chromium.org, Aug 10 2017

Components: Blink>WindowDialog
It certainly sounds the same as  Issue 730638

Comment 3 by tsepez@chromium.org, Aug 10 2017

Mergedinto: 730638
Status: Duplicate (was: Unconfirmed)
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 17 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment