Issue metadata
Sign in to add a comment
|
Security: Phishing on http://google.com Via Web Extension Using Domain Fronting
Reported by
ilyaigpe...@gmail.com,
Sep 24 2017
|
||||||||||||||||||||||
Issue description# VULNERABILITY DETAILS Domain fronting [1] implemented in a chrome extension may be used to substitute response from http://google.com or http://google.ru with a malicious response from Google App Engine server. [1]: https://www.bamsoftware.com/papers/fronting/ # VERSION Chrome Version: 61.0.3163.91 stable Operating Systems: 1. Linux R730-LINUX 4.10.0-35-generic #39~16.04.1-Ubuntu SMP Wed Sep 13 09:02:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 2. Windows 10 Creators Update build 10.0.15063 # REPRODUCTION CASE Currently extension is configured to work with my server. My server may be removed in some time in the future, so I provide server sources as well. ## Deploying Own Server (Not Necessary). 1. Deploy server from ./domain-fronting/app-engine-server 2. Substitute appspot url of my server with yours in ./domain-fronting/chrome-extension/index.js ## Reproduction 1. Install extension. 2. Open http://google.com or http://google.ru (not httpS!). 3. See reply from the app engine server.
,
Sep 25 2017
It's true that content script may be used to steal passwords as well as http proxy. It's just another way to steal passwords, nothing new here. Sorry for bothering, just thought this report may be used to reduce attack vector a little bit by fixing things on google side or in web-extensions api.
,
Sep 25 2017
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 25 2017
,
Jan 2 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Sep 25 2017Labels: Needs-Feedback
It's unclear what you believe to be a vulnerability here? The extension in your POC requests the following: "permissions": [ "<all_urls>" , "webRequest" , "webRequestBlocking" ], These permissions are sufficient to perform a phishing attack on any web page without bothering to go to the trouble of domain fronting, redirecting traffic at the network level, or anything more elaborate. Can you explain more fully why domain fronting is relevant or more interesting than the straightforward attack whereby your content script injects a phishing attack directly?