Security: Address bar suggests homograph lookalikes for IP addresses
Reported by
mich...@mahemoff.com,
Feb 23 2018
|
|||||||
Issue descriptionVULNERABILITY DETAILS Google search auto-completes "192.168" to "fake IP number" domains such as 192.168.l.l and 192.168.l.254 (those being lowercase "L" instead of the expected "1"). (See screenshot 192.168.autocomplete.png) This could be exploited to perform a phishing attempt. The owner of a domain such as 192.168.l.l could inspect the requester's IP and other metadata and predict they are resident within a certain company's intranet, and then present the company's login page to steal their credentials. Even without guessing anything about the client, they could present a generic company login page or mimic a router's login page. By accepting the suggestion of 192.168.l.l and typing "login", we can see routers such as dlink being suggested to continue the phrase (See screenshot 192.168.login.autocomplete.png). Fortunately this will lead to a Google search where the top term is _not_ that domain, but in some cases, it could be. A probable fix is to disallow autocompletion for valid IP numbers, or at least commonly used prefixes such as "192.168" and "0.0". Arguably Google search should also make this change. VERSION Chrome Version: 62.0.3202.75 stable Operating System: Ubuntu 17.10 REPRODUCTION CASE Screenshot is attached, obtained by typing "192.168." into Chrome address bar FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION N/A
,
Feb 23 2018
Good point. It might be okay unless endings like .ll and .lo become available, which aren't presently. Google search is still a risk though if the same domain ends on top, which hopefully Google search would prevent.
,
Feb 23 2018
this seems like severity Low but perhaps we can land a defence-in-depth feature as suggested by the reporter (perhaps do not autocomplete from search ip addresses). Assigning to pkasting@ to triage for omnibox.
,
Feb 24 2018
,
Mar 5 2018
I'm not on omnibox anymore, their regular triage procedure should deal with this.
,
Mar 5 2018
(That said, I think this should be WontFix. I don't think we should take any client-side action against this.)
,
May 3 2018
krb@ - perhaps you could suggest an owner for this, or just close as wontfix. Thanks.
,
May 3 2018
From what I recall about the discussion around this, we will close it WontFix. For some explanation, there is little we can do beyond what we are doing. For example, a far worse attack would be to grab the domain goog1e.com (if that can even be done.) The protection against it is that the security chip will not show "Google Inc".
,
Aug 10
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by elawrence@chromium.org
, Feb 23 2018Labels: Security_Impact-Stable OS-Android OS-Chrome OS-Fuchsia OS-iOS OS-Linux OS-Mac OS-Windows
Status: Untriaged (was: Unconfirmed)
Summary: Security: Address bar suggests homograph lookalikes for IP addresses (was: Security: Address bar autocompletes IP numbers (vulnerable to phishing attempts))