New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 826310 link

Starred by 2 users
Status: Duplicate
Merged: issue 626951
Owner: ----
Cc:
mgiuca@chromium.org
creis@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security
Team-Security-UX



Sign in to add a comment

Security: Google Chrome URL Parsing Issue

Reported by vijaylal...@gmail.com, Mar 27 2018 
Hi Team,

I have observed URL parsing issue Google Chrome which can lead to Phishing attack.

VULNERABILITY DETAILS
It seems that there's an issue with URL parsing in Google Chrome which can lead to Phishing attack. When visiting URL (pasting URL) "https://domain.com%0A&@fakesite.com" in address bar, it seems that user is making https request for domain.com but due to parsing issue, chrome will make request to fakesite.com and user will be redirected to this site "fakesite.com". This can be using in Phishing attack which can lure user by making them believe they are requesting for domain after http|https (domain.com in above example) but actually browser will make request to domain after @ (i.e. fakesite.com in above example).

VERSION
Chrome Version: Version 65.0.3325.181 (Official Build) (64-bit)
Operating System: Windows 7 Professional SP1 64 bit

REPRODUCTION CASE
Kindly find attached screenshot "Screenshot1" where I have made request for "https://domain.com%0A&@fakesite.com" which seems that I am making https request for domain "domain.com" but due to URL parsing issue, my browser has made request for "fakesite.com" as visible in "Screenshot2". Also, "Screenshot3" shows that in address bar, I have paste "https://domain.com%0A&@fakesite.com" but my browser is parsing "http://fakesite.com". This can lead to Phishing attack which make user believe they are visiting domain after http|https but actually they are redirected to other domain.

Kindly let me know if you need further more information.
Screenshot2.JPG
59.6 KB View Download
Screenshot1.JPG
64.9 KB View Download
Screenshot3.JPG
101 KB View Download

Comment 3 by vijaylal...@gmail.com, Mar 27 2018 

Hi Team,

Thank you for the update. Is it possible for you to share are there any plan to fix this bug as this can lead to Phishing attack.

Best Regards,
Vijay Lalwani

Comment 4 by elawrence@chromium.org, Mar 27 2018 

Chrome is working as intended. Phishing attacks aren't very interesting, insofar as the only trustworthy UI in the browser is the Omnibox, and the omnibox hides the UserInfo component when a page loads.

Comment 5 by mgiuca@chromium.org, Mar 28 2018

Status: WontFix (was: Duplicate)
As shown in Screenshot2.JPG, once the site loads, the Omnibox clearly shows "fakesite.com", indicating (correctly) to the user that they are on fakesite.

The only trustworthy UI is the Omnibox *after* the page loads, and this is shown correctly. Users can never trust the Omnibox before the page loads because there may be redirects anyway. This is not a phishing attack.

(Note: Re-labelling from Duplicate to WontFix since it's confusing to have a Duplicate with no attached bug ID.)

Comment 6 by elawrence@chromium.org, Mar 28 2018

Mergedinto: 626951
Status: Duplicate (was: WontFix)
Monorail was buggy this morning.
Project Member

Comment 7 by sheriffbot@chromium.org, Mar 28 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment