Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Off-topic
Re: Ask TF thread
by
darkgamer
on 14/01/2015, 23:21:21 UTC
Quote from: ConfusedCranium on January 14, 2015, 10:53:07 PM
Got any new projects which might gain some of your reputation back?

apparently hashie
https://code.google.com/p/chromium/issues/detail?id=429395

Security: Window.opener bypasses same origin policy    
   1 person starred this issue and may be notified of changes.    Back to list
Status:     WontFix
Owner:    ----
Closed:     Nov 2
Type-Bug-Security


Add a comment below
     
Reported by ad...@glados.cc, Oct 31, 2014

VULNERABILITY DETAILS
Opened windows (through normal hrefs with target="_blank") can modify window.opener.location and replace the parent webpage with something else, even on a different origin (bypassing same origin policy).

While this doesn't allow script execution, it does allow phishing attacks that silently replace the parent tab (which a user already mentally trusts).

window.opener.location should not be modifiable if on a different origin.

VERSION
Chrome Version: 37.0.2062.94 + stable
Operating System: Ubuntu

REPRODUCTION CASE

https://hashie.co/chrome/demo.html

Oct 31, 2014
#1 meacer@chromium.org

Thanks for the report, but the repro doesn't seem to be working on Chrome 38 on Linux. Could you try reproducing with a more recent version?

Oct 31, 2014
#2 ad...@glados.cc

Unfortunately the latest version of Chromium in my PPA is 37.

I've been able to reproduce this on Chrome 38.0.2125.114 for Android.

Oct 31, 2014
#3 ad...@glados.cc

To clarify, the actual POC is in the link on the page. The https://hashie.co/chrome/demo.html page will be replaced with example.org by pix4bit.com

Nov 1, 2014
#4 meacer@chromium.org

The demo page doesn't work for me on M37 on Mac either. When I switch back to example.com tab I see a very brief flash of https://hashie.co/chrome/demo.html but otherwise the actual example.com page is displayed in page contents. I haven't tested on Android yet though.

Nov 2, 2014
#5 wfh@chromium.org

The user decides to trust a particular tab by inspecting the URL and determining the origin.  In all cases here both tabs area always showing the correct origin for the content being shown.

On android, when entering any data into a form, the origin is always shown, even if it's previously been elided by scrolling down.  The user can then make a trust decision based on this visible origin.

Given this, I don't see any risk to users more than the users just clicking on a link and visiting a new page, so I am closing with WontFix.