phishing redirects from chrome for two letter TLD
Reported by
rvattakk...@a2hosting.com,
Jul 12
|
||||||||||||
Issue description
Chrome Version : 67.0.3396.99
OS Version: OS X 10.13.5
URLs (if applicable) :
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari:
Firefox:
IE/Edge:
What steps will reproduce the problem?
1.try to access any URL with two letter TLD and the domain name actually doesn't exist
2. for eg: "randomblabla.fr" or "randomblabla.us" but not "randomblabla.com"
3. domain should not exist. For eg: "google.in" won't work
What is the expected result?
It should return page not found "This site can’t be reached"
What happens instead of that?
It is redirecting to random phishing urls for eg:
http://ww62.schatfx.com/
http://ww2.acessoriosparablogs.com.br/
http://ww92.dreamparktv.com/
Please provide any additional information below. Attach a screenshot if
possible.
Event log is attached for this call
Tried following, but didn't help
- uninstall and install
- remove profiles : ~/Library/Application Support/Google/Chrome
- reset from the settings
- remove cache: ~/Library/Caches
UserAgentString: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
,
Jul 12
,
Jul 13
Unable to reproduce the issue on mac 10.13.3 using chrome reported version #67.0.3396.99 and latest canary #69.0.3489.0. Attached a screen cast for reference. Following are the steps followed to reproduce the issue. ------------ 1. Navigated to randomblabla.fr/randomblabla.us 2. Observed that it returned page not found "This site can’t be reached" error. rvattakkandy@ - Could you please check the issue on latest canary #69.0.3489.0 by creating a new profile without any apps and extensions and please let us know if the issue still persist or not. Thanks...!!
,
Jul 16
Tried latest canary #69.0.3489.0 and still the issue exist I have re-installed my Mac OS, and then installed chrome freshly again, but still the issue exist! This is one of the strangest issue that I ever faced. - Tried from multiple ISPs (with Wifi connectivity to the router) and the issue exist everywhere - Issue doesn't exist when connecting through my mobile hotspot - wiped complete hard disk and installed Mac OS freshly, still issue exist In any case, this issue is not present in firefox/safari. Wondering why it is affected to chrome only! Attached the screen recording at: https://drive.google.com/file/d/17IFCz-e-cPt4xuES11TVYq-sK742HsTj/view?usp=sharing
,
Jul 16
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 16
I have reinstalled the mac by following: https://support.apple.com/en-in/HT204904
,
Jul 16
This could be two things: 1) An extension you have installed. 2) A DNS setting. Some routers will return a A record for any site and then do a redirect on that. Have you tried forcing to either OpenDNS or GoogleDNS?
,
Jul 16
Answers: 1. As you see in my recorded video, its a freshly installed macOS and chrome. No extensions installed 2. Yes, I tried google dns 8.8.8.8 and the problem persist As I mentioned, I tried with different ISPs and the problem persist. Is there a way we could collect more debug data to identify the root cause?
,
Jul 16
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 16
,
Jul 16
From the dns cache "chrome://net-internals/#dns" found following: Not sure how chrome alone is getting this dns records, while firefox/safari/manual commands fails to retrieve these entries.
,
Jul 16
# nslookup blablabladfd.fr Server: 8.8.8.8 Address: 8.8.8.8#53 ** server can't find blablabladfd.fr: NXDOMAIN
,
Jul 16
I just captured the tcpdump for the dns lookup while trying from google chrome: 20:03:34.884321 IP 192.168.1.2.48838 > google-public-dns-a.google.com.domain: 3829+ A? dsfsafdasf.us. (31) 20:03:34.934247 IP google-public-dns-a.google.com.domain > 192.168.1.2.48838: 3829 NXDomain 0/1/0 (97) 20:03:34.934659 IP 192.168.1.2.4392 > google-public-dns-a.google.com.domain: 18828+ A? dsfsafdasf.us.domain.name. (43) 20:03:35.331731 IP google-public-dns-a.google.com.domain > 192.168.1.2.4392: 18828 4/0/0 CNAME us.domain.name., A 87.98.219.110, A 91.121.91.180, A 198.245.51.138 (105) Hope this will be helpful
,
Jul 17
I see that default domain configured on the router is set to "domain.name" and that is causing this problem I think. Still, this could possibly be a chrome bug. We need to answer following questions. 1. why does chrome append the default search domain when a domain suffix is already given, for eg "domain.us" 2. This behaviour is not seen in any other browsers 3. This is not seen in windows version of google chrome
,
Jul 18
,
Jul 18
[+mef]: Are we using the stub resolver on OSX?
,
Jul 18
I'm positive that we use proc (system) resolver on iOS as we can't get the DNS Config. IIRC we've had experimented with Async DNS on Mac OS X, but I'm not positive. rvattakkandy@: Could you collect a net internals log after restarting the browser and following these instructions: https://dev.chromium.org/for-testers/providing-network-details
,
Jul 19
Attached net log tried accessing the URL: blablatestbla.fr and got redirected to: https://nxd-media.com
,
Jul 25
As the net log has been provided in comment#18 by reporter, requesting someone from Network team to have a look into it for further investigation of the log provided, hence adding label "TE-NeedsTriageHelp". Thanks!
,
Jul 25
355: HOST_RESOLVER_IMPL_JOB
blablatestbla.fr
Start Time: 2018-07-18 20:52:10.274
t= 907 [st= 0] +HOST_RESOLVER_IMPL_JOB [dt=472]
--> host = "blablatestbla.fr"
--> source_dependency = 354 (TRANSPORT_CONNECT_JOB)
t= 907 [st= 0] HOST_RESOLVER_IMPL_JOB_STARTED
t= 907 [st= 0] +HOST_RESOLVER_IMPL_DNS_TASK [dt=472]
t= 907 [st= 0] +DNS_TRANSACTION [dt=472]
--> hostname = "blablatestbla.fr"
--> query_type = 1
t= 907 [st= 0] +DNS_TRANSACTION_QUERY [dt=57]
--> qname = "blablatestbla.fr"
t= 907 [st= 0] DNS_TRANSACTION_ATTEMPT
--> source_dependency = 356 (UDP_SOCKET)
t= 907 [st= 0] HOST_RESOLVER_IMPL_JOB_REQUEST_ATTACH
--> priority = "IDLE"
--> source_dependency = 354 (TRANSPORT_CONNECT_JOB)
t= 908 [st= 1] HOST_RESOLVER_IMPL_JOB_REQUEST_ATTACH
--> priority = "IDLE"
--> source_dependency = 357 (TRANSPORT_CONNECT_JOB)
t= 964 [st= 57] DNS_TRANSACTION_RESPONSE
--> answer_count = 0
--> rcode = 3
--> source_dependency = 356 (UDP_SOCKET)
t= 964 [st= 57] -DNS_TRANSACTION_QUERY
--> net_error = -105 (ERR_NAME_NOT_RESOLVED)
t= 964 [st= 57] +DNS_TRANSACTION_QUERY [dt=415]
--> qname = "blablatestbla.fr.domain.name"
t= 964 [st= 57] DNS_TRANSACTION_ATTEMPT
--> source_dependency = 361 (UDP_SOCKET)
t=1379 [st=472] DNS_TRANSACTION_RESPONSE
--> answer_count = 4
--> rcode = 0
--> source_dependency = 361 (UDP_SOCKET)
t=1379 [st=472] -DNS_TRANSACTION_QUERY
t=1379 [st=472] -DNS_TRANSACTION
t=1379 [st=472] -HOST_RESOLVER_IMPL_DNS_TASK
--> address_list = ["87.98.219.110:0","91.121.91.180:0","198.245.51.138:0"]
t=1379 [st=472] -HOST_RESOLVER_IMPL_JOB
,
Jul 25
mmenke@: The HOST_RESOLVER_IMPL_DNS_TASK is coming from Async resolver. It is enabled on Mac OS by default.
,
Jul 25
Retrying failed DNS resolutions appending each entry from res_init()'s dnsrch list (the list of domains to be searched) seems to be correct default behavior (see how RES_DNSRCH is default enabled). Using wireshark we verified both Mac and Linux do this when you for example try and ping an unknown host (i.e. if you try and ping "a" and your dnsrch list is "b" and "c", getaddrinfo() will issue resolution requests for "a", "a.b", and "a.c"). The issue here seems to be the incorrect dnsrch list your router is installing. Could you comment about what router brand and model you're using? If this is a common misconfiguration, perhaps a mitigation in Chrome is a possible solution.
,
Jul 25
It is not just dnsrch list in my router configuration. default dnsrch domain in router is configured to: domain.name You can easily reproduce this if you set dnsrch domain to "domain.name" Key points here: - this issue is not happening with any other browsers, but just chrome - "blablatestbla.fr" is an FQDN with ".fr" as the TLD. So it should not go and append dnsrch domain, but should return 404 error - Same behaviour is not seen with windows version of google chrome. - This incorrect behaviour is now misused by phishing websites, as given in this example.
,
Jul 25
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 31
Hmm I'm not sure where it's documented that hostnames with TLD suffixes should bypass dnsrch. Things like ping don't seem to conform to this. Still seems like a dnsrch of domain.name is a misconfiguration. My ISP, one of the most popular in the US, gives out legit dnsrch's which my Linksys router happily passes along via DHCP.
,
Jul 31
see the ping output: # ping blablabladfd1.fr ping: cannot resolve blablabladfd1.fr: Unknown host tcpdump: 05:56:19.169875 IP 192.168.1.3.57453 > google-public-dns-a.google.com.domain: 45770+ A? blablabladfd1.fr. (34) 05:56:19.171365 IP 192.168.1.3.64010 > google-public-dns-a.google.com.domain: 20039+ PTR? 3.1.168.192.in-addr.arpa. (42) 05:56:19.218735 IP google-public-dns-a.google.com.domain > 192.168.1.3.57453: 45770 NXDomain 0/1/0 (94) 05:56:19.221157 IP google-public-dns-a.google.com.domain > 192.168.1.3.64010: 20039 NXDomain 0/0/0 (42) |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by rvattakk...@a2hosting.com
, Jul 12