New issue
Advanced search Search tips

Issue 794787 link

Starred by 3 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Dec 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Chrome
Pri: 2
Type: Bug



Sign in to add a comment

random security issues on amazon and ebay

Reported by username...@gmail.com, Dec 14 2017

Issue description

UserAgent: Mozilla/5.0 (X11; CrOS x86_64 9901.77.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.97 Safari/537.36
Platform: 9901.77.0 (Official Build) stable-channel gnawty

Steps to reproduce the problem:
1. go to amazon.com
2. go to ebay.com
3. 

What is the expected behavior?
Normally both websites open just fine.  

What went wrong?
Will randomly get this message on a desktop, chromebook, and android phone.  Do not get the issues on a window laptop running chrome.
NET::ERR_CERT_AUTHORITY_INVALID
Has only happened in the last couple days.  I have gone through my router with my internet company and cannot find any issues with my IP security.

Did this work before? N/A 

Chrome version: 62.0.3202.97  Channel: stable
OS Version: 9901.77.0
Flash Version: 27.0.0.187
 
Cc: elawrence@chromium.org
This usually means something is wrong with the certificate chain or root store. Is this happening on your Chrome OS device?
Components: Internals>Network>Certificate
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Needs-Feedback OS-Linux Type-Bug
This can also happen if your router or another captive portal starts interfering with your traffic (e.g. trying to show you a notice about your internet service provider subscription, etc).

Please see the end of https://textslashplain.com/2017/03/30/get-help-with-https-problems/

You can get diagnostic information by clicking or tapping directly on the text of the ERR_CERT_AUTHORITY_INVALID error page. When you do so, a bunch of new text will appear in the page.

You should select all of the text, then hit CTRL+C (or Command ⌘+C on Mac) to copy the text to your clipboard. You can then paste the text into a comment on this issue. 

The “PEM encoded chain” information will allow engineers to see exactly what certificate the server sent to your computer, which might shed light on what specifically is interfering with your secure connections.
When I go to amazon.com:

Your connection is not private

Attackers might be trying to steal your information from www.amazon.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID
 
Automatically send some system information and page content to Google to help detect dangerous apps and sites. Privacy policy
ReloadHIDE ADVANCED
www.amazon.com normally uses encryption to protect your information. When Google Chrome tried to connect to www.amazon.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be www.amazon.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit www.amazon.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.
This happens on my chromebook (so, yes, Chrome OS device)
It also happens on my son's windows desktop (chrome browser) and my samsung phone (android).  Trying to figure out if there were any recent updates to chrome that may be causing this issue.  It has only happened in the last few days.

Does not happen to my (older) windows laptop (using chrome as my browser).
Project Member

Comment 5 by sheriffbot@chromium.org, Dec 15 2017

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: Needs-Feedback
Can you please include a https://dev.chromium.org/for-testers/providing-network-details chrome://net-export dump or the chain, as requested in Comment #2?
So far I only see this happening on amazon.com and ebay.com

I can visit credit card and credit union websites, and they all show the "secure lock" on the address bar.  Amazon and ebay say "not secure" on the address bar.  Ebay usually sends me to a sign in page, amazon has the error code.


Project Member

Comment 8 by sheriffbot@chromium.org, Dec 15 2017

Cc: rsleevi@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "rsleevi@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 Deleted

Labels: Needs-Feedback
Unfortunately, we will not be able to help unless you can follow the requested instructions to provide more details.

If you click the NET::ERR_CERT_AUTHORITY_INVALID text, more information will appear. You can see screenshots of what this looks like at the end of Please see the end of https://textslashplain.com/2017/03/30/get-help-with-https-problems/ if you're having problems. We need the information that shows when you click on that error code.


log file, as requested...


chrome-net-export-log 1.json
892 KB View Download
Project Member

Comment 12 by sheriffbot@chromium.org, Dec 15 2017

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Reply to comment #10:

I provided that info (copy and pasted full error message) in comment #3
The goal was to get the extra diagnostics, as obtained from

"You can get diagnostic information by clicking or tapping directly on the text of the ERR_CERT_AUTHORITY_INVALID error page. When you do so, a bunch of new text will appear in the page."
Oops... found my error... when I try to access amazon.com (updated):

Your connection is not private

Attackers might be trying to steal your information from www.amazon.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID
Subject: ebay.com
Issuer: ebay.com
Expires on: Jul 13, 2018
Current date: Dec 15, 2017
PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIFsTCCBRqgAwIBAgIJAJjtbA1a0HkfMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCQ0ExCzAJBgNVBAoMAkNBMQsw
CQYDVQQLDAJDQTERMA8GA1UEAwwIZWJheS5jb20xHzAdBgkqhkiG9w0BCQEWEHN1
cHBvcnRAZWJheS5jb20wHhcNMTcwNzEzMTgyNzMzWhcNMTgwNzEzMTgyNzMzWjB1
MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJBgNVBAcMAkNBMQswCQYDVQQK
DAJDQTELMAkGA1UECwwCQ0ExETAPBgNVBAMMCGViYXkuY29tMR8wHQYJKoZIhvcN
AQkBFhBzdXBwb3J0QGViYXkuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQCkB1+HEJ7f1OSDmEvF260QoZ/spmpAYG381wmsdceDBl1PVcQcVGXfDEhv1ivp
KLHviekt9uf/N1//NdM7DOT9eArPBHXtkCsEo5Yn45paFBaqOE7ZCVTAE75Q6sjY
TIsoD5DyL9CWifKoLY30mTXoXyioIRXxIngiUffof8FaRQIDAQABo4IDRzCCA0Mw
ggMnBgNVHREEggMeMIIDGoIMd3d3LmViYXkuY29tggptLmViYXkuY29tgg5wYWdl
cy5lYmF5LmNvbYIMcmVnLmViYXkuY29tgg9zdG9yZXMuZWJheS5jb22CB2ViYXku
ZGWCC3d3dy5lYmF5LmRlggltLmViYXkuZGWCDXBhZ2VzLmViYXkuZGWCC3JlZy5l
YmF5LmRlgg5zdG9yZXMuZWJheS5kZYIHZWJheS5jYYILd3d3LmViYXkuY2GCCW0u
ZWJheS5jYYINcGFnZXMuZWJheS5jYYILcmVnLmViYXkuY2GCDnN0b3Jlcy5lYmF5
LmNhggtlYmF5LmNvbS5hdYIPd3d3LmViYXkuY29tLmF1gg1tLmViYXkuY29tLmF1
ghFwYWdlcy5lYmF5LmNvbS5hdYIPcmVnLmViYXkuY29tLmF1ghJzdG9yZXMuZWJh
eS5jb20uYXWCCmViYXkuY28udWuCDnd3dy5lYmF5LmNvLnVrggxtLmViYXkuY28u
dWuCEHBhZ2VzLmViYXkuY28udWuCDnJlZy5lYmF5LmNvLnVrghFzdG9yZXMuZWJh
eS5jby51a4IHZWJheS5pdIILd3d3LmViYXkuaXSCCW0uZWJheS5pdIINcGFnZXMu
ZWJheS5pdIILcmVnLmViYXkuaXSCDnN0b3Jlcy5lYmF5Lml0ggdlYmF5LmVzggt3
d3cuZWJheS5lc4IJbS5lYmF5LmVzgg1wYWdlcy5lYmF5LmVzggtyZWcuZWJheS5l
c4IOc3RvcmVzLmViYXkuZXOCB2ViYXkuZnKCC3d3dy5lYmF5LmZyggltLmViYXku
ZnKCDXBhZ2VzLmViYXkuZnKCC3JlZy5lYmF5LmZygg5zdG9yZXMuZWJheS5mcoIO
d3d3Lm0uZWJheS5jb22CCGViYXkuY29tggt3YWxtYXJ0LmNvbYIPd3d3LndhbG1h
cnQuY29tggtuZXRmbGl4LmNvbYIPd3d3Lm5ldGZsaXguY29tgglhcHBsZS5jb22C
DXd3dy5hcHBsZS5jb22CCmljbG91ZC5jb22CDnd3dy5pY2xvdWQuY29tMAkGA1Ud
EwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBBQUAA4GBACKQjZCP9SHnyGDW
m6aEO2Zm8zorNguuK1+iRwt5AicFuUjqNhVPk9iV2HJzVdhiX/GOCSD/QTzVEeMD
8dt3s/3t5d3aRAbGnKiTwNR5Mgsg+p1IdQfGRKOjnTK97LTnkQ6WTkz4shMXsPcB
fkHT1SBgA/MZVW1O1fqAsD6/KUL0
-----END CERTIFICATE-----

Thanks! The network log indicates it believes "www.amazon.com" is 185.106.120.182 . That IP block appears to be owned by HostSailor NL. This seems to match your DNS configuration, which is set to resolve hosts using the DNS server at 185.141.25.61.

Further, other subdomains of amazon.com that are valid appear to not be resolving correctly.

Based on the Certificate and the Network Log, it appears that your local network/router (not your Chromebook) may have been compromised, either by your ISP or by a malicious party. Are you in the Netherlands / do you use HostSailor?

If these don't ring any bells, you should contact your ISP on how to return or reconfigure your internet connection, as it may be compromised.

Not in Netherlands, no hostsailor.

I've been working with my ISP to resolve the issues, and have gone through my router to check settings with them, but they are convinced it is coming from Chrome's end. 

I will send the first paragraph to them (of comment #16) to see if they can help me resolve the issue.

Thank you.


Status: WontFix (was: Unconfirmed)
This is definitely an attack, and not a bug in Chrome.

HostSailor is being used as a host provided for a known compromise of Netgear routers that were using the default login credentials. The attack changes the DNS server settings on the router, with the intent of hijacking ebay.com and amazon.com to then steal credit card information. [1]

To fix this, you need to minimally reset your router settings, and definitely put a password on it so it cannot be compromised again. For the DNS server settings you can set it to 8.8.8.8 (Google's public DNS), or your ISP's DNS server if you prefer. That should fix the certificate error you are seeing.

The good news is that Chrome protected you from this attack. The original navigation to http://www.amazon.com/ got redirected by HSTS t https://www.amazon.com. And then the certificate verification rightfully rejected the phony certificate being presented by the attacker.

Closing as WontFix since this requires a fix on the user's end.

Cheers.

[1] Source: Comment section form https://www.abuseipdb.com/check/185.82.202.78
(Oh, and also make sure the firmware on your router is up to date, since sometimes those patch security problems)

Sign in to add a comment