New issue
Advanced search Search tips

Issue 808870 link

Starred by 2 users
Status: Duplicate
Merged: issue 626951
Owner: ----
Closed: Feb 2018
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Interstitial Redirect leads to Abusing the users's trust through phishing

Reported by vijay.ti...@gmail.com, Feb 4 2018 
VULNERABILITY DETAILS
An interstitial web page is one that is shown before expected content. Using one is a
common method to protect against open redirect vulnerabilities since any time you’re
redirecting a user to a URL, you can show an interstitial web page with a message
explaining to the user they are leaving the domain they are on. This way, if the redirect page shows a fake log in or tries to pretend to be the trusted domain, the user will know that they are being redirected. This is the approach most of browser like firefox takes when following most URLs off their site for example, when following links in submitted reports. Although interstitial web pages/window are used to avoid redirect vulnerabilities, complications in the way sites interact with one another can still lead to compromised links.

VERSION
Chrome Version:64.0.3282.119 (Official Build) (64-bit)


REPRODUCTION CASE
open chrome browser :

type any website eg: www.google.com@[any malicious domain]

eg:https://www.google.com@msn.com

it should let user know  where he is going & maintaining trust relationship through interstitial window or web page.

but it doesn't & redirect you to other domain.

if you open same url in Firefox it shows interstitial window to prevent user to unconscious redirection.

Attached POC video which demonstrate how we can perform phishing attack using this bug in chrome

Regards,

Vijay Tikudave
Interstitial Redirect.mp4
4.4 MB View Download

Comment 2 by elawrence@chromium.org, Feb 4 2018 

To expound upon the explanation in #1, there's no redirection involved in this scenario. Everything in the first component of the URL before the @ symbol is userinfo (username/password). Some browsers (IE) chose to forbid userinfo in HTTP URLs, while others provide warnings (Firefox), while Chrome only forbids userinfo in sub-resource loads.

Comment 3 by vijay.ti...@gmail.com, Feb 5 2018 

Thanks for explanation.Understand that it can prevent spoofing when we put URL http://www.google.com@evilurl.com by showing evilurl.com in address bar but how it can prevent phishing attack when URL in mail automatically open in chrome browser since evil URL can be dangerous which can  automatically executed script or malware when open in browser.

There should be interstitial Window to prevent user to let know user what he is going to browse.


Regards,

Vijay Tikudave

Comment 4 by elawrence@chromium.org, Feb 5 2018 

A browser cannot "prevent phishing" with any UI measure if the user is unwilling to look at the URL in the address bar.

Comment 5 by vijay.ti...@gmail.com, Feb 5 2018 

Thanks for explanation but if we have interstitial Window placed there then it would prevent such scenario.

Anyway thank you very much.
Project Member

Comment 6 by sheriffbot@chromium.org, May 14 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment