Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 Jun 2015 18:29:07 +0200
From: 0pc0deFR <>
To: OSS Securty <>
Subject: Re: Google Chrome Address Spoofing (Request For Comment)

Work on Google Chrome Ubuntu.


Kévin FALCOZ alias 0pc0deFR - Consultant Expert WordPress -


Kévin FALCOZ aka 0pc0deFR - WordPress Expert Consultant -

2015-06-30 16:04 GMT+02:00 Daniel Micay <>:

> On 30/06/15 09:52 AM, Florian Weimer wrote:
> > On 06/30/2015 03:45 PM, Daniel Micay wrote:
> >> It does display a window with the address, but I don't
> >> understand why you've got an ever increasing number of setTimeout events
> >> built in here. It's also unclear what you mean about click-to-verify. Is
> >> this bypassing a warning prompt by breaking it with a flood of requests?
> >
> > I have not tried this, but here's some context:
> >
> > Most browsers have issues where they do not update the URL bar when
> > content from a different is shown (i.e., the update happens to late), or
> > they show the new URL while still displaying old content (update too
> > late).  I've seen such discrepancies with Firefox, but I don't know if
> > it's still present in current versions.
> >
> > If such bugs are present, freezing browsers while they are showing
> > inconsistent content (hence the DoS attempt) could lead the user to
> > attribute content to the incorrect site.
> Ah, that makes sense. It seems to depend on a race condition so it makes
> sense that it can't always be replicated. I've tried it a few times and
> it fails about as often as it works. I have a feeling that the proof of
> concept was the whole issue report and it just happened to fail for
> whoever tested it.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ