random security issues on amazon and ebay
Reported by
username...@gmail.com,
Dec 14 2017
|
||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; CrOS x86_64 9901.77.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.97 Safari/537.36 Platform: 9901.77.0 (Official Build) stable-channel gnawty Steps to reproduce the problem: 1. go to amazon.com 2. go to ebay.com 3. What is the expected behavior? Normally both websites open just fine. What went wrong? Will randomly get this message on a desktop, chromebook, and android phone. Do not get the issues on a window laptop running chrome. NET::ERR_CERT_AUTHORITY_INVALID Has only happened in the last couple days. I have gone through my router with my internet company and cannot find any issues with my IP security. Did this work before? N/A Chrome version: 62.0.3202.97 Channel: stable OS Version: 9901.77.0 Flash Version: 27.0.0.187
,
Dec 14 2017
This can also happen if your router or another captive portal starts interfering with your traffic (e.g. trying to show you a notice about your internet service provider subscription, etc). Please see the end of https://textslashplain.com/2017/03/30/get-help-with-https-problems/ You can get diagnostic information by clicking or tapping directly on the text of the ERR_CERT_AUTHORITY_INVALID error page. When you do so, a bunch of new text will appear in the page. You should select all of the text, then hit CTRL+C (or Command ⌘+C on Mac) to copy the text to your clipboard. You can then paste the text into a comment on this issue. The “PEM encoded chain” information will allow engineers to see exactly what certificate the server sent to your computer, which might shed light on what specifically is interfering with your secure connections.
,
Dec 15 2017
When I go to amazon.com: Your connection is not private Attackers might be trying to steal your information from www.amazon.com (for example, passwords, messages, or credit cards). Learn more NET::ERR_CERT_AUTHORITY_INVALID Automatically send some system information and page content to Google to help detect dangerous apps and sites. Privacy policy ReloadHIDE ADVANCED www.amazon.com normally uses encryption to protect your information. When Google Chrome tried to connect to www.amazon.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be www.amazon.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged. You cannot visit www.amazon.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.
,
Dec 15 2017
This happens on my chromebook (so, yes, Chrome OS device) It also happens on my son's windows desktop (chrome browser) and my samsung phone (android). Trying to figure out if there were any recent updates to chrome that may be causing this issue. It has only happened in the last few days. Does not happen to my (older) windows laptop (using chrome as my browser).
,
Dec 15 2017
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 15 2017
Can you please include a https://dev.chromium.org/for-testers/providing-network-details chrome://net-export dump or the chain, as requested in Comment #2?
,
Dec 15 2017
So far I only see this happening on amazon.com and ebay.com I can visit credit card and credit union websites, and they all show the "secure lock" on the address bar. Amazon and ebay say "not secure" on the address bar. Ebay usually sends me to a sign in page, amazon has the error code.
,
Dec 15 2017
Thank you for providing more feedback. Adding requester "rsleevi@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 15 2017
Unfortunately, we will not be able to help unless you can follow the requested instructions to provide more details. If you click the NET::ERR_CERT_AUTHORITY_INVALID text, more information will appear. You can see screenshots of what this looks like at the end of Please see the end of https://textslashplain.com/2017/03/30/get-help-with-https-problems/ if you're having problems. We need the information that shows when you click on that error code.
,
Dec 15 2017
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 15 2017
Reply to comment #10: I provided that info (copy and pasted full error message) in comment #3
,
Dec 15 2017
The goal was to get the extra diagnostics, as obtained from "You can get diagnostic information by clicking or tapping directly on the text of the ERR_CERT_AUTHORITY_INVALID error page. When you do so, a bunch of new text will appear in the page."
,
Dec 15 2017
Oops... found my error... when I try to access amazon.com (updated): Your connection is not private Attackers might be trying to steal your information from www.amazon.com (for example, passwords, messages, or credit cards). Learn more NET::ERR_CERT_AUTHORITY_INVALID Subject: ebay.com Issuer: ebay.com Expires on: Jul 13, 2018 Current date: Dec 15, 2017 PEM encoded chain: -----BEGIN CERTIFICATE----- MIIFsTCCBRqgAwIBAgIJAJjtbA1a0HkfMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV BAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCQ0ExCzAJBgNVBAoMAkNBMQsw CQYDVQQLDAJDQTERMA8GA1UEAwwIZWJheS5jb20xHzAdBgkqhkiG9w0BCQEWEHN1 cHBvcnRAZWJheS5jb20wHhcNMTcwNzEzMTgyNzMzWhcNMTgwNzEzMTgyNzMzWjB1 MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJBgNVBAcMAkNBMQswCQYDVQQK DAJDQTELMAkGA1UECwwCQ0ExETAPBgNVBAMMCGViYXkuY29tMR8wHQYJKoZIhvcN AQkBFhBzdXBwb3J0QGViYXkuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQCkB1+HEJ7f1OSDmEvF260QoZ/spmpAYG381wmsdceDBl1PVcQcVGXfDEhv1ivp KLHviekt9uf/N1//NdM7DOT9eArPBHXtkCsEo5Yn45paFBaqOE7ZCVTAE75Q6sjY TIsoD5DyL9CWifKoLY30mTXoXyioIRXxIngiUffof8FaRQIDAQABo4IDRzCCA0Mw ggMnBgNVHREEggMeMIIDGoIMd3d3LmViYXkuY29tggptLmViYXkuY29tgg5wYWdl cy5lYmF5LmNvbYIMcmVnLmViYXkuY29tgg9zdG9yZXMuZWJheS5jb22CB2ViYXku ZGWCC3d3dy5lYmF5LmRlggltLmViYXkuZGWCDXBhZ2VzLmViYXkuZGWCC3JlZy5l YmF5LmRlgg5zdG9yZXMuZWJheS5kZYIHZWJheS5jYYILd3d3LmViYXkuY2GCCW0u ZWJheS5jYYINcGFnZXMuZWJheS5jYYILcmVnLmViYXkuY2GCDnN0b3Jlcy5lYmF5 LmNhggtlYmF5LmNvbS5hdYIPd3d3LmViYXkuY29tLmF1gg1tLmViYXkuY29tLmF1 ghFwYWdlcy5lYmF5LmNvbS5hdYIPcmVnLmViYXkuY29tLmF1ghJzdG9yZXMuZWJh eS5jb20uYXWCCmViYXkuY28udWuCDnd3dy5lYmF5LmNvLnVrggxtLmViYXkuY28u dWuCEHBhZ2VzLmViYXkuY28udWuCDnJlZy5lYmF5LmNvLnVrghFzdG9yZXMuZWJh eS5jby51a4IHZWJheS5pdIILd3d3LmViYXkuaXSCCW0uZWJheS5pdIINcGFnZXMu ZWJheS5pdIILcmVnLmViYXkuaXSCDnN0b3Jlcy5lYmF5Lml0ggdlYmF5LmVzggt3 d3cuZWJheS5lc4IJbS5lYmF5LmVzgg1wYWdlcy5lYmF5LmVzggtyZWcuZWJheS5l c4IOc3RvcmVzLmViYXkuZXOCB2ViYXkuZnKCC3d3dy5lYmF5LmZyggltLmViYXku ZnKCDXBhZ2VzLmViYXkuZnKCC3JlZy5lYmF5LmZygg5zdG9yZXMuZWJheS5mcoIO d3d3Lm0uZWJheS5jb22CCGViYXkuY29tggt3YWxtYXJ0LmNvbYIPd3d3LndhbG1h cnQuY29tggtuZXRmbGl4LmNvbYIPd3d3Lm5ldGZsaXguY29tgglhcHBsZS5jb22C DXd3dy5hcHBsZS5jb22CCmljbG91ZC5jb22CDnd3dy5pY2xvdWQuY29tMAkGA1Ud EwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBBQUAA4GBACKQjZCP9SHnyGDW m6aEO2Zm8zorNguuK1+iRwt5AicFuUjqNhVPk9iV2HJzVdhiX/GOCSD/QTzVEeMD 8dt3s/3t5d3aRAbGnKiTwNR5Mgsg+p1IdQfGRKOjnTK97LTnkQ6WTkz4shMXsPcB fkHT1SBgA/MZVW1O1fqAsD6/KUL0 -----END CERTIFICATE-----
,
Dec 15 2017
Thanks! The network log indicates it believes "www.amazon.com" is 185.106.120.182 . That IP block appears to be owned by HostSailor NL. This seems to match your DNS configuration, which is set to resolve hosts using the DNS server at 185.141.25.61. Further, other subdomains of amazon.com that are valid appear to not be resolving correctly. Based on the Certificate and the Network Log, it appears that your local network/router (not your Chromebook) may have been compromised, either by your ISP or by a malicious party. Are you in the Netherlands / do you use HostSailor? If these don't ring any bells, you should contact your ISP on how to return or reconfigure your internet connection, as it may be compromised.
,
Dec 15 2017
Not in Netherlands, no hostsailor. I've been working with my ISP to resolve the issues, and have gone through my router to check settings with them, but they are convinced it is coming from Chrome's end. I will send the first paragraph to them (of comment #16) to see if they can help me resolve the issue. Thank you.
,
Dec 15 2017
This is definitely an attack, and not a bug in Chrome. HostSailor is being used as a host provided for a known compromise of Netgear routers that were using the default login credentials. The attack changes the DNS server settings on the router, with the intent of hijacking ebay.com and amazon.com to then steal credit card information. [1] To fix this, you need to minimally reset your router settings, and definitely put a password on it so it cannot be compromised again. For the DNS server settings you can set it to 8.8.8.8 (Google's public DNS), or your ISP's DNS server if you prefer. That should fix the certificate error you are seeing. The good news is that Chrome protected you from this attack. The original navigation to http://www.amazon.com/ got redirected by HSTS t https://www.amazon.com. And then the certificate verification rightfully rejected the phony certificate being presented by the attacker. Closing as WontFix since this requires a fix on the user's end. Cheers. [1] Source: Comment section form https://www.abuseipdb.com/check/185.82.202.78
,
Dec 15 2017
(Oh, and also make sure the firmware on your router is up to date, since sometimes those patch security problems) |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by kerrnel@chromium.org
, Dec 14 2017