Issue metadata
Sign in to add a comment
|
Address Bar spoofing in, in-App Browser of Gmail
Reported by
p...@ahmud.net,
Jun 1 2018
|
||||||||||||||||||||||
Issue descriptionSteps to reproduce: 1. Send an email with the PoC link to spoof the URL : https://staging.metron.mv/sec/test_poc_only.html 2. Use the iOS Gmail App, Go to Inbox & Click on the link, press "spoof" & the in app browser will display "google.com" even when not on google. 3. That's it. Please see the provided PoC link for more details. Browser/OS: Tested on iOS 11.3.1, Gmail version 5.0.180422 Attack scenario: A malicious attacker can send a gmail user with a link that can spoof the in-app browser's address bar. Since an address bar is the only reliable security indicator, A user will follow the link thinking that the page is legit & by google. I was diverted here by Google Vulnerability Program with the following message: ""Hey, Thanks for the report. I was able to reproduce this, but I think this report is better suited for the Chrome Vulnerability Rewards Program. To contact them, file a bug here: https://bugs.chromium.org/p/chromium/issues/entry?template=Security%20Bug If the Chrome VRP thinks it's not within the scope of that VRP, feel free to come back here and let us know.""
,
Jun 1 2018
Reference Info: 80215786 other in Gmail for iOS component: 310543 status: Assigned reporter: peep@ahmud.net assignee: wo...@google.com -Hotlist: 702027 Status: New Assigned Assignee: <none> wo...@google.com Hope you can reference from the information above. Thanks
,
Jun 1 2018
Thank you for reporting. Srikanth, could you please file a bug against gmail in /b Removing components, because this is not a bug against Chrome
,
Jun 2 2018
Similar to crbug.com/109821 and with a repro like http://lcamtuf.coredump.cx/urldrag/, this basically comes back to a design problem whereby the URL of the UI is updated before a navigation completes, and the UI lacks a clear indication that a navigation is in-progress and the content below the UI does not match the URL in the UI.
,
Jun 4 2018
,
Jun 4 2018
,
Jun 4 2018
eugenebut: It looks like b/80215786 already reported in GMail? (From comment#2 above) I don't have access to that bug. Can you check.
,
Jun 4 2018
Thanks, I don't have access to b/80215786, which seems like WAI. I will close this bug report, because the problem is not related to Chrome. Mustafa, do you know if reporting URL spoofing in Gmail would qualify for Chrome bounty program?
,
Jun 4 2018
peep@ahmud.net: Just to confirm: This only happens in the Gmail iOS app, is that correct? If so, yes we wouldn't consider it under Chrome VRP and would redirect the bug back to Google VRP. I'll also ask folks at b/80215786 offline.
,
Jun 4 2018
,
Jun 4 2018
meacer@chromium.org: As mentioned it happens only in the Gmail iOS App. This bug is not related to Chrome Browser.
,
Jun 5 2018
reply comment#11 issue can be reproduced with any app that uses Safari View Controller to render the website links. I can reproduce the same steps with Google Calendar app as well.
,
Sep 11
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mea...@chromium.org
, Jun 1 2018Labels: OS-iOS
Owner: eugene...@chromium.org
Status: Assigned (was: Unconfirmed)