| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <000f01ccc0ef$b7abfb40$9b7a6fd5@ml> Date: Thu, 22 Dec 2011 23:16:38 +0200 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: Certificate Spoofing in Google Chrome for Android Hello list! I want to warn you about Certificate Spoofing in Google Chrome for Android. This vulnerability is low risk, but can be used by phishers for stealing certificates from legitimate sites for conducting phishing attacks. ------------------------- Affected products: ------------------------- Vulnerable are Google Chrome for Android 2.3.3 and previous versions (and possibly next versions). ---------- Details: ---------- Certificate Spoofing (WASC-12): It's possible to use certificates from other sites via iframe (so I called this attack as Certificate Stealing). At that it's possible to do that not only for https, but for http sites. As you can see from my screenshots, http site (mine) got certificate from https site (of Google). PoC screenshots: http://websecurity.com.ua/uploads/2011/12/Google%20Chrome%20for%20Android-1.jpg http://websecurity.com.ua/uploads/2011/12/Google%20Chrome%20for%20Android-2.jpg http://websecurity.com.ua/uploads/2011/12/Google%20Chrome%20for%20Android-3.jpg http://websecurity.com.ua/uploads/2011/12/Google%20Chrome%20for%20Android-4.jpg http://websecurity.com.ua/uploads/2011/12/Google%20Chrome%20for%20Android-5.jpg #1 - Open web site with iframe referenced to another site. #2 - Select Page info in context menu. #3 - There is "View certificate" button, but there must be no one, because it's http site. #4, #5 - Current site has valid certificate of another site. ------------ Timeline: ------------ 2011.12.10 - found vulnerability. 2011.12.20 - informed Google. 2011.12.21 - disclosed at my site. I mentioned about this vulnerability at my site (http://websecurity.com.ua/5587/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists