New issue
Advanced search Search tips

Issue 765635 link

Starred by 2 users
Status: Duplicate
Merged: issue 96041
Owner:
a...@chromium.org
Closed: Nov 2017
Cc:
a...@chromium.org
creis@chromium.org
dcheng@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Bug-Security



Sign in to add a comment

hijack cross-domain window title

Reported by ma7h1a...@gmail.com, Sep 15 2017 
AFFECTED PRODUCTS
--------------------
chrome 61.0.3163.91


DESCRIPTION
--------------------
chrome did not refresh its window title if target do not have a title.
but other browsers like firefox,IE would simply clean it.
it could "hijack" a cross-domain window's title
which may case potential spoofing problem

for example,I find a page on *.google.com to show this problem.
online demo http://xsser.math1as.com/exp.html
spoof_problem.jpg
9.8 KB View Download

Comment 1 by elawrence@chromium.org, Sep 15 2017

Status: Untriaged (was: Unconfirmed)
Fun. This seems to reproduce in Chrome 62.3202 and 61.3163 but I cannot repro in 63.3215.

The security impact seems extremely limited (as the spoofing area is tiny and the victim would have to fail to set a title.).

Comment 2 by ma7h1a...@gmail.com, Sep 15 2017 

yes,but since with a scanner i found so many pages without set a title in google,apple,etc. so it's easy to get a victim website.

Comment 3 by mea...@chromium.org, Sep 15 2017

Components: UI>Browser>Navigation
Labels: Security_Severity-Low Security_Impact-Stable OS-Chrome OS-Linux OS-Mac OS-Windows
Status: Available (was: Untriaged)
I can still repro in 63.0.3216 on Linux.

This might be a navigation issue since there is a redirect involved. Navigation folks, can you please take a look?

Comment 4 by mea...@chromium.org, Sep 15 2017

Labels: OS-Android
Works on Android too.

Comment 5 by elawrence@chromium.org, Sep 15 2017 

Perhaps related to  Issue 96041 ?

Comment 6 by mea...@chromium.org, Sep 15 2017

Cc: a...@chromium.org
Old bug is old! Avi, wdyt?

Comment 7 by a...@chromium.org, Sep 15 2017

Cc: creis@chromium.org dcheng@chromium.org
Owner: a...@chromium.org
Status: Assigned (was: Available)
I reverted a bad fix for  issue 96041 , but that would not have affected this.

There was a fix that I was working on for 96041 that would handle this. Taking, as it's in my area.
Project Member

Comment 8 by sheriffbot@chromium.org, Sep 16 2017

Labels: Pri-2

Comment 9 by a...@chromium.org, Nov 10 2017

Mergedinto: 96041
Status: Duplicate (was: Assigned)
Project Member

Comment 10 by sheriffbot@chromium.org, Feb 16 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment