New issue
Advanced search Search tips

Issue 810949 link

Starred by 1 user
Status: WontFix
Owner:
vakh@chromium.org
Closed: Feb 2018
Cc:
vakh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug



Sign in to add a comment

SafeBrowse Bypass by javascript location manipulation

Reported by fles...@gmail.com, Feb 9 2018 
VERSION
Chrome Version 64.0.3282.140 (Official Build) (64-bit) (stable)
Operating System: Mac OS X 10.13.3 (17D47) 


REPRODUCTION CASE

The referenced website (1) is currently listed in SafeBrowse.

Visiting the website in a new Chrome Incognito window
briefly displays the SafeBrowse block page then redirects
to a credential harvester on a diffrent domain.

No user interaction with the SafeBrowse block page
is needed, the bypass is automatic. 

The webpage has three methods of redirect
  1. <META refresh>
  2. self.location.replace()
  3. window.location = ...

Since I don't control any sites currently listed on SafeBrowse
I'm not sure how to further experiment to see which of the three
methods (or combination) is responsible for bypassing the 
SafeBrowse block page. 

Javascript returned from (1) is shown below in (2) in 
case the site is taken down before this can be evaluated 
live. 

My apologies in advance if this is the wrong place to submit,
I am such a noob at reporting of this type.

(1) hxxp://www.retdecor.com[.]br/Loh.php

(2) Return from (1), neutered.
```
<html><head>
<meta HTTP-Equiv="refresh" content="0; URL=hxxps://www.securitariosribeiraopreto.org[.]br/pmj/LGF">
<script type="text/javascript">
loc = "hxxps://www.securitariosribeiraopreto.org[.]br/pmj/LGF"
self.location.replace(loc);
window.location = loc;
</script>
</head></html>
```

Comment 1 by nparker@chromium.org, Feb 16 2018

Labels: SafeBrowsing-Triaged
Owner: vakh@chromium.org

Comment 2 by vakh@chromium.org, Feb 16 2018

Status: WontFix (was: Unconfirmed)
Thanks for reporting the issue.

I am unable to reproduce the warning on the [1] link that you shared but I can confirm that it redirects to a phishing site. Even if it did show an interstitial for a brief moment and then redirected, that's not a bug.

The only actionable thing at this moment is to report the final URL for phishing and I'll do that. Since there's no change required in Chrome for this, I'm going to mark this as WontFix.
Project Member

Comment 3 by sheriffbot@chromium.org, May 26 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment