New issue
Advanced search Search tips

Issue 853628 link

Starred by 4 users
Status: Assigned
Owner:
wfh@chromium.org
Cc:
danyao@chromium.org
eugene...@chromium.org
ios-bugs@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: iOS
Pri: 2
Type: Bug



Sign in to add a comment

Security Vulnerability in Google Chrome Mobile Browser

Reported by arslanar...@gmail.com, Jun 18 2018 
Vulnerability Report

 Date: 18-June-2018


Settings
		Mobile Browser : Google Chrome (version 67.0.3396.87)
		Operating System : iPhone (iOS 11.4)

Vulnerabilities

	I found the vulnerability by Abusing URL Parsers, once you add @& operator inside parameter then Google Chrome Mobile browser does not verify that its sending to another domain. Its very easy to redirect victim to another domain, and perform phishing attacks. You can watch the POC Video, in this video I used Gmail phishing attack for demo purpose only.  Please copy below URL and paste in your Mobile browser.

https://www.microsoft.com&@facebook.com#/en-us/education/products/teams/default.aspx
Then you will redirect to facebook.com. 

Thank you.
Video.MOV
4.2 MB View Download

Comment 1 by wfh@chromium.org, Jun 18 2018

Components: UI>Browser>Navigation
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Needs-Feedback OS-iOS Pri-2 Type-Bug
Status: Untriaged (was: Unconfirmed)
Thanks for your report.

This might be navigation bug, but certainly not a security bug, since the correct URL is displayed before the user gets to interact with the page.

This has same characteristics as an open redirector which we normally do not see as security vulnerabilities.

https://sites.google.com/site/bughunteruniversity/nonvuln/open-redirect

Does this only happen for e.g. microsoft.com - or for any URL?

Comment 2 by arslanar...@gmail.com, Jun 18 2018 

Hi,
This bug can lead to very security issue, On Desktop Google Chrome if you
type same URL, it will alert you with pop up. But Mobile Browser will not
alert you with any pop up. Imagin if an attacker use Browser Exploit and he
want to redirect user to his own website/server. Then End user can
compromised because most of the end user just foucs on start of the url.
e.g. https://google.com but next url they ignored it. And by using this
technique you can use any website. Such as Google, Apple, Microsoft,
Facebook. And this vulnerability exist in Browser not in website.

Comment 3 by sczs@chromium.org, Jun 20 2018

Cc: danyao@chromium.org
Owner: eugene...@chromium.org
Status: Assigned (was: Untriaged)
eugenebut@ FYI

Comment 4 by eugene...@chromium.org, Jun 20 2018

Cc: wfh@chromium.org
wfh@, why do you think this is navigation bug? Chrome correctly loaded website with the right domain, and shown correct URL in the omnibox. Maybe I'm missing something?

Comment 5 by arslanar...@gmail.com, Jun 21 2018 

Hi,
Yes Chrome correctly loaded website with right domain. But What about open
redirection attack? Mobile Chrome browser did not alert you that you are
going to another website, but its only alert you on Desktop PC. Before
clicking on the link we see that its starting from https://www.microsoft.com
but the next parameter will redirect you to malicious.com. And victim can
be compromised if attack hosted any malware on his website.
Here is example below.
https://www.microsoft.com&@
maliciousdomain.com#/enus/education/products/teams/default.aspx

If i copy same URL and paste to Google Chrome Desktop browser it will alert
with popup. But if you paste to mobile chrome browser you can easily
redirected to malicious.com

Thank you,
Best regards,
Arslan Arshad

Reference:
https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

Comment 6 by eugene...@chromium.org, Jul 10

Cc: -wfh@chromium.org eugene...@chromium.org
Owner: wfh@chromium.org
wfh@, what behavior do you expect from Chrome for iOS here?

Comment 7 Deleted

Sign in to add a comment