Issue metadata
Sign in to add a comment
|
URL Spoof using '。' instead of period
Reported by
tiebuc...@gmail.com,
Apr 19 2018
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36 Steps to reproduce the problem: Step1: case1: when I input 'https://www。google。com' in the url directly,the chrome will transform the '。' into '.' case2: -------ok.html------- <meta http-equiv="Content-Type" content="text/html; charset=GBK" /> <a href="http://www。google.com">OK</a> ------------------------ when I click the "OK",the chrome will jump to http://www銆俫oogle.com/ case3: -------spoof.html------- <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <a href="http://www。google.com">url spoof</a> ------------------------ when I click the "url spoof",the chrome will jump to https://www.google.com/ Step2:How to exploit this feature? Phishing: I can register a new domain www銆俫oogle.com,then I can cheat the victim visit the fake website(especially for Chinese). Bypass: Bypass the security check. What is the expected behavior? What went wrong? In fact ,the 'http://www。google.com' is a good url if you input from the input box. But when you put it in the html content and set the charset with 'GBK',it booms. Did this work before? N/A Chrome version: 66.0.3359.117 Channel: stable OS Version: 10.0 Flash Version: Deal '。' with a special way.
,
Apr 19 2018
,
Apr 19 2018
Applying Security_Severity-Medium but I strongly suspect that this is WAI. Getting people to click on a link isn't interesting. Getting them to believe that they are on a more trustworthy site when they are not is interesting and that's not happening here.
,
Apr 20 2018
The url with '。' in the html content is not like what it seems. But in the omnibox, the '。' is '.'. This may be make a confusion and cheat the victim.
,
Apr 20 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 20 2018
,
Apr 20 2018
,
Apr 21 2018
I agree with part of your assessment in #c4 that there's some inconsistency here but I don't think it is a security issue. Let me break down my argument by the cases you listed: Case 1: The '。' is automatically converted to '.', which is arguably what the user would expect in most cases. So, no issue. Case 2: "Chrome will jump to http://www銆俫oogle.com/": yes, but the Omnibox will show that clearly so the user would know what website they are on. If this website turns malicious, Safe Browsing should catch it at that point. So, no issue. Case 3: "Chrome will jump to https://www.google.com/": yes, this is same as case 1. So, no issue. Please let me know if I misunderstood your comment. Marking it as WontFix in the meantime.
,
Apr 26 2018
I can put the url 'http://www。google.com' in the iframe to Phshing. It looks more like visual fraud. Maybe it is not a security issue:)
,
Jul 28
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Apr 19 2018