Issue metadata
Sign in to add a comment
|
Security: Omnibox spoof possible on Android when the user has scrolled the web page
Reported by
nibar...@gmail.com,
Sep 14
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS The omnibox in Chrome on Android hides automatically when you scroll the page. It is shown again if you click on any link to another page. However it is not shown if you click on an anchor link or if the scroll position is changed by a javascript. This makes it possible to spoof the omnibox and trick the users into believing that they have navigated away to a trusted site while they are in fact still on the malicious site. VERSION Chrome Version: 68.0.3440.91 stable Operating System: Android 9.0.0; Pixel 2 Build/PPR2.180905.005 REPRODUCTION CASE * Download the attached address_bar_spoof.html file and open it with Chrome * Scroll down a bit on the page so that the omnibox is hidden * Click on the link that takes you to facebook.com as instructed. * Look at all the expected visual clues before you log in and see that the address in the omnibox is correct, the padlock is shown, and it generally looks like you're on Facebook. What you see is actually not facebook, you're still on the address_bar_spoof.html page. Here is an (unlisted) video showing the spoof: https://youtu.be/-eUTpMPy0AY
,
Sep 21
,
Sep 21
,
Sep 29
dtrainor: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 30
Hey sorry I missed this. Reassigning to tedchoc@
,
Oct 13
tedchoc: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 13
We only show the URL when the domain changes intentionally. We don't want it to jump around constantly. We also show the omnibox permanently in situations that we think are privacy sensitive (e.g. when you are entering text). We are doing some UI explorations around showing the URL always, but this has been a known issue since we implemented omnibox hiding 6 years ago.
,
Jan 20
(2 days ago)
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mbarbe...@chromium.org
, Sep 20Labels: Security_Severity-Medium Security_Impact-Stable OS-Android
Owner: dtrainor@chromium.org
Status: Assigned (was: Unconfirmed)