Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 Jun 2015 10:04:11 -0400
From: Daniel Micay <danielmicay@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Google Chrome Address Spoofing (Request For
 Comment)

On 30/06/15 09:52 AM, Florian Weimer wrote:
> On 06/30/2015 03:45 PM, Daniel Micay wrote:
>> It does display a window with the oracle.com address, but I don't
>> understand why you've got an ever increasing number of setTimeout events
>> built in here. It's also unclear what you mean about click-to-verify. Is
>> this bypassing a warning prompt by breaking it with a flood of requests?
> 
> I have not tried this, but here's some context:
> 
> Most browsers have issues where they do not update the URL bar when
> content from a different is shown (i.e., the update happens to late), or
> they show the new URL while still displaying old content (update too
> late).  I've seen such discrepancies with Firefox, but I don't know if
> it's still present in current versions.
> 
> If such bugs are present, freezing browsers while they are showing
> inconsistent content (hence the DoS attempt) could lead the user to
> attribute content to the incorrect site.

Ah, that makes sense. It seems to depend on a race condition so it makes
sense that it can't always be replicated. I've tried it a few times and
it fails about as often as it works. I have a feeling that the proof of
concept was the whole issue report and it just happened to fail for
whoever tested it.


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ