New issue
Advanced search Search tips

Issue 871021 link

Starred by 1 user
Status: Duplicate
Merged: issue 812769
Owner:
kenrb@chromium.org
Closed: Aug 7
Cc:
a...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: fullscreen notification can be overlapped by 401 basic unauthorized dialog

Reported by zxyrz...@gmail.com, Aug 4 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36

Steps to reproduce the problem:
1. open http://test.au1ge.xyz/401.html
2. click start

What is the expected behavior?
401 unauthorized dialog should kick out fullscreen

What went wrong?
By adding an iframe with 401 unauthorized page, fullscreen notification can be overlapped, which lead to UI spoof

Did this work before? N/A 

Chrome version: 68.0.3440.84  Channel: stable
OS Version: OS X 10.13.6
Flash Version: Shockwave Flash 30.0 r0
401.mov
4.0 MB View Download

Comment 1 by zxyrz...@gmail.com, Aug 4 

And I use a modal dialog to finish the phishing attack

Comment 2 by zxyrz...@gmail.com, Aug 6 

Any one to handle this issue?

Comment 3 by mmoroz@chromium.org, Aug 6

Labels: Needs-Feedback
I've tried entering some data into the spoofing dialog and it looks like that data was passed to google.com, i.e. I've been redirected to https://www.google.com/?account=asd&password=a&email=a&submit=Submit&gws_rd=ssl

Could you add that dialog on top of google.com page, but actually submit the form to some other server?

Comment 4 by zxyrz...@gmail.com, Aug 6 

OKļ¼Œthe dialog is a step to finish the attack, and the real bug is fullscreen notification can be overlapped, it's easy to steal the victim's input, I just need to add an event listener on formSubmit and make an AJAX request, I will attach the attack code, and already updated the online demo, after you fill out the dialog, you can open http://test.au1ge.xyz/pw.txt to see your input
base64_decode.html
1.4 KB View Download
Project Member

Comment 5 by sheriffbot@chromium.org, Aug 6

Cc: mmoroz@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by mmoroz@chromium.org, Aug 7

Components: UI>Browser>FullScreen Blink>HTML>Dialog
Labels: M-69 Security_Severity-Medium Security_Impact-Stable
Owner: kenrb@chromium.org
Status: Assigned (was: Unconfirmed)
Nice, thanks for the updated PoC!


kenrb@, I've seen some other spoofing issues assigned to you. Could you please take a look at this one?

Comment 7 by mmoroz@chromium.org, Aug 7

Cc: -mmoroz@chromium.org

Comment 8 by mmoroz@chromium.org, Aug 7

Cc: a...@chromium.org
Project Member

Comment 9 by sheriffbot@chromium.org, Aug 7

Labels: -Pri-2 Pri-1

Comment 10 by kenrb@chromium.org, Aug 7

Mergedinto: 812769
Status: Duplicate (was: Assigned)
This is identical to  issue 817809 , which was duped into  issue 812769 , so presumably this should be similarly duped.

Comment 11 Deleted

Project Member

Comment 12 by sheriffbot@chromium.org, Dec 5

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment