
Chrome address spoofing vulnerability proof-of-concept for HTTPS - FiloSottile
https://github.com/musalbas/address-spoofing-poc
======
FiloSottile
Important to note that the fake page is "frozen", so there is no direct
phishing risk. The user can click around but nothing happens. Scrolling works.
Resizing curiously turns it into a blank page. Reloading leaves the fake page
up.

It's a race, so it might not work at the first try over the network.

Original report:
[http://seclists.org/fulldisclosure/2015/Jun/108](http://seclists.org/fulldisclosure/2015/Jun/108)

~~~
amelius
What do you mean by "frozen"? Can't the page contain javascript that makes it
appear not-frozen?

~~~
rsoto
It rendered the phishing HTML, but you can't interact with it. I guess it's
because the script is stopping the render of facebook after the request has
been made (hence the www.facebook.com site), providing another security layer,
as you can't be phished with an unresponsive website.

And I don't think javascript would make a difference.

------
neotek
I feel it's a little disingenuous for the author not to mention up front that
the fake page can't be interacted with, because it completely changes the
severity of the vulnerability.

~~~
rlidwka
It doesn't change anything. As some people used to say, "security is binary;
you either are secure or you are not".

While it's useful for phishing pages to be interactive, it's not strictly
necessary:

\----

"Your paypal account is locked, because we suspect it to be hacked. To unlock
it, please call our tech support (phone number 1-234-56789) and tell them your
paypal password to prove your identity (and CVV of all the credit cards pretty
please)."

~~~
neotek
It absolutely changes things, there's a marked difference in severity between
encouraging someone to call a number or respond in some other way to written
instructions, and capturing their login details on a page they've been trained
to trust (i.e., https with a green lock.)

I'm certainly not saying there's no issue here - your example perfectly
demonstrates a realistic and dangerous use case - I'm merely pointing out that
omitting such an important aspect of the vulnerability in the repo readme is
disingenuous and materially changes the severity of the issue. To be honest,
the omission actually smacks a little of clickbait.

~~~
mSparks
it's a proof of concept. I don't see how it changes anything. once you've got
the browser displaying [https://site](https://site) you control pretending to
be something else.

fixing everything else is trivial.

------
patcheudor
Interestingly, this one has been around and known for awhile. I reported it
back in September of 2012 and got the same response. Basically it wasn't
viewed as a bug because the user couldn't interact with the DOM. I explored
this quite extensively and was never able to make it interactive.

Here's a screenshot of just some of my exploration of this bug back in 2012:

[https://www.facebook.com/photo.php?fbid=517413654939227&set=...](https://www.facebook.com/photo.php?fbid=517413654939227&set=a.101964293150834.4826.100000117904896&type=3&theater)

------
scyllax
I see why they called it a non vulnerability. It also works on Firefox 40.0a2
(2015-06-03)

~~~
Myrannas
Indeed, however it managed to crash my browser after clicking that button a
couple of times.

------
sijmenruwhof
For those interested, I made an extensive security risk analysis of the
situation and published it on my web log:

[http://sijmen.ruwhof.net/weblog/447-security-risk-
analysis-o...](http://sijmen.ruwhof.net/weblog/447-security-risk-analysis-of-
address-bar-spoofing-bug-in-chrome-and-opera)

------
curiously
it just redirected to facebook login

~~~
aesthetics1
That's precisely the point. It seems to have tricked even you.

~~~
curiously
but it doesn't show any login, it just says "facebook login" page but blank.

~~~
aesthetics1
The URL shows [https://www.facebook.com](https://www.facebook.com), and a
green shield indicating a secure connection. What is displayed is _not_ from
facebook. Maybe you're missing it? Ad or social blocker installed?:

[https://raw.githubusercontent.com/musalbas/address-
spoofing-...](https://raw.githubusercontent.com/musalbas/address-spoofing-
poc/master/screenshot.png)

~~~
curiously
Ah yes I had unlock maybe that's why?

