From full-disclosure Tue Jun 30 22:12:35 2015 From: Valentinas Bakaitis Date: Tue, 30 Jun 2015 22:12:35 +0000 To: full-disclosure Subject: Re: [FD] Google Chrome Address Spoofing (Request For Comment) Message-Id: X-MARC-Message: https://marc.info/?l=full-disclosure&m=143580012423123 Can you perform any actions on the page once the URL is replaced, or is it non responsive? (asking because PoC did not work on my Chrome 43.0.2357.130 (64-bit) on OSX). If it is non responsive then the impact is very limited. Worst thing I can think of is showing "your account is suspended, please contact technical support on 0800-555-555" and then using the trust user puts in the URL for phone phishing. If it is responsive, then it's indeed pretty bad. Cheers! V. On Tue, Jun 30, 2015 at 6:08 PM, David Leo wrote: > Impact: > The "click to verify" thing is completely broken... > Anyone can be "BBB Accredited Business" etc. > You can make whitehouse.gov display "We love Islamic State" :-) > > Note: > No user interaction on the fake page. > > Code: > ***** index.html > > Go
> ***** content.html > This web page is NOT oracle.com > > ***** It's online > http://www.deusen.co.uk/items/gwhere.6128645971389012/ > (The page says "June/16/2015" - it works as we tested today) > > Request For Comment: > We reported this to Google. > They reproduced, and say > It's DoS which doesn't matter. > We think it's very strange, > since the browser does not crash(not DoS), > and the threat is obvious. > What's your opinion? > > Kind Regards, > > PS > We love clever tricks. > We love this: > http://dieyu.org/ > > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/