Ubuntu
webbrowser-app package

Address Bar Spoofing in Default Browser of Ubuntu LTS.

Bug #1620323 reported by Dhiraj on 2016-09-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	webbrowser-app (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

Hello ,

The default browser of the Ubuntu LTS is vulnerable to Address Bar Spoofing.

Steps :
Ubuntu browser allows attacker to spoof the web-browser by just using '@' symbol.
Example : https://<email address hidden> , this will redirect a user or a victim to bing.com rather than google.com.
An attacker can take an advantage of it and may redirect it to any malicious website.
Example : https://<email address hidden> , similarly this will also redirect to attacker.com rather than facebook.com.

There are various scenario to exploit , one of it using BeeF using [hook.js] which is browser based exploitation and as such many more.
Example: https://<email address hidden>/hook.js
Well where as hook.js is a component of BeeF, which allows attacker to leads to browser based exploitation

As far i recommend and request there should be a pop-up for this as a mitigation that some one is trying to tamper the URL.

Kindly have a look on the attached Video POC , to clear the above scenario.
I would be happy to hear from the team.
Thank you

See original description

Revision history for this message

Dhiraj (mishra-dhiraj95) wrote on 2016-09-05:

Please have a look on the Attached file for POC of above Issues Edit (662.5 KiB, video/mp4)

Colin Watson (cjwatson) on 2016-09-05

affects:

launchpad → webbrowser-app (Ubuntu)

Dhiraj (mishra-dhiraj95) on 2016-09-06

description:

updated

Revision history for this message

Chris Coulson (chrisccoulson) wrote on 2016-09-06:

How is this an addressbar spoof? Your video shows you typing an address in the addressbar, the browser navigating to the correct address and the addressbar showing an address that matches the content displayed

Revision history for this message

Dhiraj (mishra-dhiraj95) wrote on 2016-09-06:

I am able to redirect the user to the different domain , by just using '@' so its a kind of Omini-Box is able to bee spoofed and there are many ways to exploit one of it is been explained above !

Thank you

Revision history for this message

Chris Coulson (chrisccoulson) wrote on 2016-09-06:

You haven't redirected to a different domain - the browser has navigated to the domain you typed in to the addressbar. For an addressbar spoof there needs to be a bug that allows content to manipulate the addressbar contents in a way that it doesn't reflect the content displayed. I don't see evidence of that here.

Revision history for this message

Dhiraj (mishra-dhiraj95) wrote on 2016-09-07:

Ok , lets not assume it as an address bar spoofing then its a sort of open redirect in the default browser of Ubuntu.

Thank you

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2016-10-06:

This isn't really a security issue, it is how URLs work. The value specified before the "@" is considered to be the username. See RFC 3986. (https://www.ietf.org/rfc/rfc3986.txt)

That being said, while Chrome simply allows the username, firefox does display a warning to the user.