Hacker Newsnew | past | comments | ask | show | jobs | submit | Herrera's commentslogin

Yeah, https://xsleaks.dev tracks most of the known ways to leak cross-origin data.


oh hell yes. And oh yes iframes and postmessages, of course people would setup them incorrectly and even if they do some (probably not that important but still) data will leak if you're creative enough. Thanks for the link!


Bleichenbacher'06 never dies.


Neither does BB'98


Can’t wait for BB20


Interesting... I reported a variation of this issue to Google back in 2015 and they said they weren't "concerned about the premise of the attack in the bug description. You can always make the back button go to a page under your control by doing a second navigation, e.g., with pushState".


I was playing with picture-in-picture attacks on Chrome some time ago and even proposed a way for mitigation, but it was dismissed.

Here's the PoC I did: https://www.youtube.com/watch?v=0oega6C5SF0

And the mitigation I proposed was from this: http://i.imgur.com/8m6UdiC.png

To this: http://i.imgur.com/turRAdc.png


Really? That is strange, because there is ways this could be exploited... Can you link them to me?


https://news.ycombinator.com/item?id=12260444

Sorry, I'm on mobile. But several similar reports as the HN link shows.


A somewhat related topic:

A few months ago Google fixed a vulnerability on the inline installation. It was possible to start a install on the attacker's website and then redirect the page to an arbitrary one. This would confuse the user, making him believe that the install came from the arbitrary page.

Here is the PoC if anyone is interested (CVE-2016-1640): https://www.youtube.com/watch?v=f_9ObDqBoo8


If you keep your left mouse button pressed you can cheat too.


You are right. You receive one image containing a inspirational message for your family and decide to send to your family members. Then it changes to a image asking for money to be sent to an account because you are in need. I could see this working.


Yes, if you invest at least $1,000,000 and employ more than 10 people for two years you will be eligible to the EB-5 visa. It seems a good way to get a green card if you have the money.


It is not always enough. For example, recently I have found several ways to spoof the URL and HTTPS lock on Google Chrome. So phishing seems to be a concern.


If you found a way to have the address bar show an HTTPS lock on a Google domain despite actually being on one, then you've found a big hole and you could make a lot of money by reproducing/reporting this security flaw.

The fact that you have found "several ways" is intriguing. You are either mistaken, or you're one of the greatest security researchers out there.


I already did report them. The first one was fixed (CVE-2015-6782), got $1k from Google. There are three more they are working on.


In that case, way to go, that is very impressive! I'm surprised the bounty was so low, honestly.

In response to your first comment, I should clarify that checking for a valid HTTPS URL SHOULD be sufficient, barring implementation errors in the browser. Of course, if the browser is insecure, all bets are off wrt web security. Implications may range far beyond phishing attacks in that case.


Thank you! I got involved with the security world recently and I'm really enjoying it. And I would like to clarify myself, the comment I made earlier was a little ambiguous. The bug that got fixed only spoofs the omnibox and not the HTTPS lock. The others spoof both. That said, when I am able to disclose these vulnerabilities, I intend to write a post about them.


You should, I would love to read that :)


>Of course, if the browser is insecure, all bets are off wrt web security.

I guess this is a no go for now, then?

>There are three more they are working on.


Wow, this thread reminded me of the "best HN comeback of all time":

https://news.ycombinator.com/item?id=35079


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: