Cenzic 232 Patent
Paid Advertising
web application security lab

Chrome Phishing

Securosis did a little writeup on how Google’s switching to Chrome as a secure alternative to anything else is rather short-sighted following an interview with Eric Schmidt. I think some people think I’m just speculating when I talk about how browsers tend to make the same mistakes over and over again without learning the lessons of their predecessors. No, that’s not idle speculation. Eric Schmidt said that they want to be held accountable for how much more secure their website and web technologies are. Alright… if you say so, Eric.

Reaching into my grab bag of Chrome issues, let me pull out the oldest lamest one I can just as a proof of concept:

There is a long ago patched bug that was used by phishers many years back that allowed them to create targeted phishing links that could fool the eye. By putting the name of the site in question in the basic authentication field, they could make people think they were clicking on something they weren’t. Mind you, this has been patched for years in Firefox. Chrome? Not so much. The following was tested in Chrome on Vista.

http://www.bankofamerica.com@ha.ckers.org/

The reason why modern “new” browsers aren’t as good for security is precisely because of two reasons 1) they haven’t figured their security model out completely and 2) they don’t go back and read about all the same hard learned lessons of their kin and build in those lessons learned. Basing your entire security model on an unproven browser that JUST had a dozen holes uncovered a few days ago is foolhardy at best. So, yes, Eric - I’m sorry to say, you are building your new security posture on a house of cards, and everyone who uses Google, Chinese dissidents or otherwise, is at the mercy of that decision.

40 Responses to “Chrome Phishing”

  1. Noam Says:

    You sure that http://www.bankofamerica.com@ha.ckers.org/ works? :)

    Chrome appears to hide the username as soon as you put that “username” part in the URL address area.

    I am using Chrome Beta (BTW)

  2. . Says:

    wow, that’s cool.try myself now…

  3. buherator Says:

    doesnt work for me. linux, 5.0.342.7 beta

    “they donít go back and read about all the same hard learned lessons of their kin and build in those lessons learned” - what about http://code.google.com/p/browsersec/wiki/Main ?

  4. . Says:

    @buherator
    for me it’s like this
    http://bit.ly/b9f3Wn

  5. RSnake Says:

    @buherator - What happens on Linux? Does it not send you to ha.ckers.org?

  6. RSnake Says:

    @Noam - yes, but only after you hit enter - too late.

  7. anomit Says:

    Works on 5.0.342.9 beta, Linux.

  8. RSnake Says:

    @buherator - That’s a good list of current issues, not past issues. It’s also incomplete.

  9. Jeremy Says:

    Works on my iPad with safari! Not just chrome needing to catch up. ;)

  10. ashby Says:

    works like a charm.. xp chrome v 4.1.249.1045

  11. Erwin Says:

    Works for me too, latest version of Chrome on Vista.

    I think that it is a good thing for Google to use Chrome: “eat your own dog food”

    I switched to Chrome lately for the nice surfing speed. Although all risky surfing is with Firefox & NoScript :)

  12. RSnake Says:

    @Erwin - If my speech gets accepted at Blackhat, you may change your mind about that. :)

  13. John Weis Says:

    Works for me in Chrome 5.0.342.9 beta on Windows XP

  14. TheTestManager Says:

    My Anti Virus program picks it up,

    So even if I used Chrome it still protects against any url like that.

    It gets shown as

    HTML/Gen Spoofing.

    Antivirus program = Avira

    Using Firefox anyway but its good to know that other forms of protection besides the browser inbuilt security are in place.

  15. Vinicius K-Max Says:

    Works on Chromium 5.0.313.0 (37694) on Mac OS X

  16. Pjoe Says:

    Using Chrome 5.0.375.3 dev on Linux.

    Entering http://www.bankofamerica.com@ha.ckers.org/ in the omnibox takes the page to ha.ckers.org directly w/o any confirmation.

  17. Troy Says:

    I just wanted to confirm that it works in Safari on the iPhone as well. (iPad already mentioned)

  18. MZ Says:

    Users who make security decisions by looking on the status bar or URL before clicking or pasting them into the URL bar - *instead* of checking the address bar on the destination page - are in deep trouble in every browser, for a number of reasons.

    Credentials in URLs, open redirectors, or onclick= handlers are just one of the many issues with this; more fundamentally, there is a number of URLs that simply get parsed differently across implementations, and even security experts are unlikely to be able to guess their destination correctly.

    Browser Security Handbook actually has a discussion of these issues, and gives this example:

    http://example.com;.coredump.cx/

    …and also:

    http://example.com\@coredump.cx/

    …both of which have a different meaning to different browsers (to clarify: although the latter URL contains a @, it’s the \ parsing that really matters).

    The address bar is the only reliable security indicator we have; this is perhaps unfortunate, but nearly impossible to fix without breaking the web.

    The behavior of various implementations is also surveyed in BSH for a longer while, so while your criticism of the design decision is naturally acceptable, I would not suspect cluelessness on the part of Chrome devs:

    http://code.google.com/p/browsersec/wiki/Part1#Uniform_Resource_Locators

    http://code.google.com/p/browsersec/wiki/Part3#HTTP_authentication

    There are trade-offs to every approach: MSIE disables URL HTTP authentication by default, but this cripples a number of legitimate uses (and organizations that depend on them re-enable it, exposing their users again). Firefox generates a confusing and wordy prompt - but you are arguing that while it’s unwise, users de facto trust links at their face value; so you should be also willing to accept that users click through “Do you want to see this page?” prompts (and there’s actually a lot of research showing they do).

    Personally, I think that the approach taken by Chrome - that is, cleaning up the URL bar and highlighting the host name - is the most graceful approach. It’s far from ideal, but it has the benefit of not making unrealistic assumptions about user behavior, and not breaking the web.

    IMO, bottom line is, if you don’t understand URLs and don’t know which indicators can be trusted to make security decisions, you are hosed. I think this is unfortunate, and there’s a lot to be done in this area, but to turn this into a criticism of a particular browser strikes me as a bit disingenuous.

    Cheers,
    /mz

  19. RSnake Says:

    @MZ - Ahhh, Michal Zalewski - the one man inside Google, I respect tremendously! Please, please, please find yourself a better job. They get one of the world’s best security guys and have him serving up ads. Such a waste. You are worth so much more to so many better causes. Trust me, there are way better places to hang your hat. And with that said…

    Firefox’s model is 1000x better than Chrome. Wordy, yes, and a tad confusing, I might add, but at minimum it alerts the user to the fact that there could be a problem (and for a few years there it WAS a huge problem). I don’t care if you do or don’t support basic auth through a URL string or what you do after they click on it. That’s irrelevant. Users will still click on it because countless bad security people told them to mouse over the links and make sure they are really going to the right place. The fact that people will get compromised because of your model is literally all that matters. If you don’t alert them to the fact they’re about to get phished, you are taking part in their compromise. This is an exploit that was used in millions of phishing emails, so it’s not theoretical. Doing something without alerting the user to the action you took and the danger associated is not graceful, it’s negligent.

    It’s not disingenuous to alert people to the failings of a browser technology, my friend. Nice try though. It’s disingenuous to claim that this is a superior model compared to alerting people to the very real possibility of phishing attacks.

    I’ll still buy you a beer at some conference sometime. The hefty drink of kool-aid and political posturing aside, I still respect you.

  20. MZ Says:

    Several specific examples given in my post illustrate why HTTP authentication is just one of the many worries with the trust model you propose; and why, when embracing this view, no particular browser deserves a particularly strong praise.

    As a side note, you should be well-aware that I am keen on openly discussing and criticizing browser or web app design issues *regardless* of who the vendor is - and it should be evident that I am not willing to compromise this integrity easily. Therefore, the Google-themed part of your message seems to be of no relevance to this discussion.

  21. RSnake Says:

    @MZ - then you and I will have to remain in disagreement in this matter, and your users will remain unsafe. No skin off my nose.

    Sorry to bring your job into this. I had assumed you would be good natured in this regard. My bad. You’re right, it’s not at all relevant, aside from a potential for bias. But now that you say you are unbiased, I have to take it on face value and instead now I have to believe you really believe what you’re saying. That’s unfortunate. I could have handled kool-aid.

  22. Vladislav Mysla Says:

    @RSnake: your example has normally processed and displayed by the Chrome on my win7. Hyperlink with url http://www.bankofamerica.com@ha.ckers.org/ will be displayed as http://ha.ckers.org/ in the window status(when mouse is over). Please correct me if that is wrong. thanks

  23. Vinicius K-Max Says:

    In Safari there is no redirection; the spoofed url stays on address bar:
    http://img6.imageshack.us/img6/1101/screenshot20100414at743.png

  24. RSnake Says:

    @Vladislav - the problem is people typically get phishing attempts in email, FAX, SMS, or instant message - not website form. So while that may be true, that’s much less important.

  25. Todd Says:

    Your logic is flawed. Eric, wants to get all Google’ers helping to improve Chrome. All you are saying which is a misguided argument is that because the older system has more years in the seat it has more use cases covered. BUT you forget to mention that many user cases must be covered simply because of a flawed or less secure architecture in Firefox, IE, Safari, etc… Chrome is a step forward. It is a better architecture for secure browser to stand on. Sure there may now be missed use-cases, but look at Chrome’s upgrade track record. Faster than any other browser. The bug you point out is even fixed in the latest builds, so your whole argument is pointless. It seems more like you’re making a hallow point, just to needless spread FUD. I usually respect your position, but it seems like you are intentionally taking a position of FUD against Google, definitely does not seem like you are unbiased when talking Google. Generally, I find your posts constructive and insightful, but when Google is in your topic, it’s all misleading, so I wonder about your other topics now too.

  26. RSnake Says:

    @Todd - I am in no way trying to pick on you in this comment, because I get this sort of sentiment a lot. More often it’s in person than online, but it deserves a thorough and well thought out answer. People call me a “Google hater” or “anti-Google” often, and sometimes it’s jokingly and sometimes is deadly serious. So it’s worth spending a little time on.

    I agree, Chrome has a few (and only a few from what I’ve seen) innovative security mechanisms built into it. They are lacking more than a few that other browsers have though, so that doesn’t actually net out a positive for them. I’d actually rank them significantly lower in a number of areas - one of which, incidentally is privacy. I should also note that they didn’t invent sandboxing, in case someone thought they did - but they built them into their browser in a nice way and for that they are innovative. And yes, the other browser manufacturers should and will follow suit. But that is not the only thing that is required to make a secure browser. Oddly, Michal above seems to think that their model for handing this URL use case is superior, so I don’t see why they would “fix” something that wasn’t broken. Maybe I misunderstood though. Alas…

    But that seems to not really be what you’re writing about - you’re writing because you like Google or it’s approach or whatever, and dislike that I don’t. You say I’m spreading FUD about Google in general (unrelated to the vulnerability in question). But I must ask you, if you think that word can ever be applied in a different context? Is FUD necessarily the wrong or inappropriate reaction to the environment at hand? Let’s define it, shall we?

    Fear: Should you fear a company that has more information on every living person than any other company in the history of the planet? Should you fear a company that EPIC has filed a complaint against as the single greatest threat to your privacy? Should you fear a company that has refused to fix all their redirection holes even years after phishers have been using them so that they can continue to track their users? Should you fear a company that controls a massive amount of the percentage of total websites on earth (at least their code is resident in the form of JavaScript on a huge percentage of them)? My answer to this is if you really want to call yourself a security guy, you should fear anyone with this sort of power and track record. Your fear levels may vary, of course.

    Uncertainty: Should you feel uncertain about how Google has reacted to security problems in the past with their ex-chief officers saying they shouldn’t have to tell you about security flaws, because you will find them “distracting and confusing”? Are you uncertain about how they will use things like your health care information, when they disavow themselves of HIPAA? Are you uncertain about the future of technology you rely on like smart grids, and cell phones, and Internet that is entirely funded by slinging ads? My answer to this is you cannot put faith in a public company to do what is right for you, only what is right for it. So you should rejoice if you’re a shareholder. But for security guys, this should put up major red flags.

    Doubt: Do you doubt that Eric Schmidt with his mantra of you shouldn’t be worried about privacy unless you’re doing something wrong, has spent nearly enough time reflecting on the well being of every life he impacts? Do you doubt that future abuses of privacy and trust like Google Buzz will happen in the future? Do you doubt that having bought one of the largest and most hated advertising engines in the world (DoubleClick) and integrating them doesn’t add any extra privacy problems? Do you doubt that Google’s primary goal is to make money by serving up more advertisements? My answer to all of this is that I believe Google is a for-profit entity that has shown a particular distaste for privacy as it necessarily flies in the face of directed advertising, and has shown an inability to secure their environments against the very people who they absolutely must protect their environment from.

    In my opinion no real security guy should trust them unless they simply didn’t care about the risks to the data they gave them. But that is true of ANY company, Google or otherwise. So that isn’t something unique to them. They just happen to have a tremendously large amount of data to warrant the worry compared to any other company of note - thus the FUD.

    I’m not a security hypocrite. I absolutely believe every word I’m writing. If that doesn’t jive with your understanding of the world, you probably are right, my blog will seem misleading and full of bias.

    If you’re reading this site, I assume it’s because you want the straight no-BS story. I don’t lie on this site. I don’t fabricate evidence or vulnerabilities. Sometimes I’m wrong, sure, but if I ever find evidence of it I clarify that I was wrong and update my post. I don’t always give all the facts I am privy to, but in this case Google is actually worse than any amount of data I would feel comfortable putting on this blog for the sake of information given to me in confidence. For example, five ex-Google employees have talked to me and confirmed my fears. No, I don’t trust Google. No, you shouldn’t either, in my opinion. So, yes, I agree with your assessment - this whole thread is FUD as is most of my Google content, even though it is a term often reserved for the worst sorts of inflammatory cruft. In this case I think it’s actually an appropriate use of the term. You said “I wonder about your other topics now too,” good! You should always be a skeptic! It’s when you let ha.ckers.org or a $4 Billion a year advertising company blind you that you should worry. No one is making you read this site, or believe anything I say, and you should gain comfort in that fact. Free will is an amazing thing. You have to make your own decisions about what to believe. All I can do is keep presenting small slices of evidence, that you can faithfully chose to ignore or excuse as my bias if you like.

    If Google still seems like they are as pure as the driven snow even after reading all that - then rock on! No one will blame you for being a fan of Google. Just don’t forget to keep clicking on those ads!

  27. buherator Says:

    @RSnake
    as I put that URL in the address bar the username field turns gray while the real domain remains black, indicating where I am going. After hitting enter, I’m directed to ha.ckers.org (as espected), the username field disappears from the address bar. Same behavior with FF, except of the coloring.
    If I create a link pointing to that url and move my cursor above it, Chrome says that it points to “ha.ckers.org”, while FF says it points to “www.bankofamerica.com@ha.ckers.org”.
    I can’t see the problem nor the significant difference between the two browsers, please enlighten me!

  28. stucky Says:

    “For example, five ex-Google employees have talked to me and confirmed my fears. No, I donít trust Google. No, you shouldnít either, in my opinion.”

    As far as I can tell RSnake, these fears shouldn’t really be mentioned.

    If the fears are as great as you say they are, I don’t see how any form of NDA (formal or otherwise) would stop you releasing the information. You don’t disclose the fears let alone the confirmations, how do you expect anyone to trust your opinion? (I know you don’t care what we think of your opinion in all honesty, but that’s besides my point.)

  29. kaes Says:

    Whoa, RSnake! RAH! You should edit that rant and post it as an item on your blog, it deserves a better place than between comments.

  30. RSnake Says:

    @buherator - please read the response to Vladislav Mysla.

    @stucky - I cannot betray people’s confidence. Just like I don’t put bad guys in jail for talking to me about their crimes, I don’t want to out innocent people who want me to continue my fight. Google hasn’t committed any crimes in regards to this, as far as I can tell, besides, perhaps anti-trust, and I’m no lawyer so I have no way of making such a determination. So whistleblower status almost certainly doesn’t apply, if that’s what you were referring to. But I have made my fears public, if that’s what you want to know. You’re correct in your assessment that I don’t care if that’s an unsatisfactory answer for you. In a perfect world we’d all know each other’s secrets. But then us security guys would be out of business, and Google would be making even more money. ;)

    @kaes - I was thinking the same thing, my friend. But believe it or not I get extremely tired when talking about Google for any extended period of time. Maybe another day and in another way, I will do precisely that, just not today.

  31. stucky Says:

    @rsnake, I wouldn’t want you to betray anyones confidence unless you thought the situation (aka your fears) were bad enough. Obviously, they are not, anti-trust issues will soon come for google (next 1/2 decade at least) I’m sure, a lot of people want into this search /ad campaining game and its only a matter of time before a new underdog comes in.

    Also, your non anti-trust fears (the ones that matter to me) if they aren’t breaking the law does it really matter?

    Law doesn’t seem to matter much around these internets.. I believe this is much more in the realms of morality, ethics, and best practices.

  32. Tom T. Says:

    MZ wrote:

    “… Firefox generates a confusing and wordy prompt….”

    In actuality, here is the prompt, copied literally:

    “You are about to log into the site “ha.ckers.org” with the username “www%2Ebankofamerica%2Ecom”, but the website does not require authentication. This may be an attempt to trick you.

    “Is “ha.ckers.org” the site you want to visit? ”

    |Yes| |No|

    (with “No” highlighted, i. e., as the default action if user merely clicks “OK”, as so many do).

    Not wordy or confusing; I don’t see how it could be any simpler or more clear. You thought you were going to BA, but Fx tells you you’re going to hackers, and is that really where you wanted to be?

    Very disingenuous dismissal of Firefox’s warning. How would you improve on that, MZ or other Chrome people?

  33. AppSec Says:

    @Tom T:
    I’m not from either. But, here’s why this message is confusing:

    1) It is assumed the link would becoming from a forged e-mail from BofA or somewhere else pretending to take them there. The person clearly believed the origination e-mail enough to click the link. Odds are, they’ll click yes just because they’ll assume that’s what was intended.

    2) Most security messages cause confusion to users. Look at certificate warnings that get ignored time and time again. Sure, there are utlities which are used by more technically savvy individuals, but overall — it’s just confusing.

    That’s just my thoughts. I’m not for or against it. I’m just stating what I believe to be potential issues.

  34. MZ Says:

    Tom T:

    The warning you quoted is displayed only if the page does not require authentication; have the server return 401 (trivial for the attacker), and “OK” will be the default option… uh-oh.

    That said, my specific reservations about the dialog you quoted:

    1) Most people don’t understand what HTTP authentication is, mostly because it’s seldom used on consumer sites. They certainly can’t tell the difference between it and cookie-based authentication. From that perspective, the bits about “logging in”, “not requiring authentication”, and using a particular username are… hazy at best.

    2) Spurious URL escaping of the user name does not help, as most people do not understand this concept, either, and therefore, will find it unnecessarily difficult to make the connection between “%2Ebankofamerica%2E” and “bankofamerica”.

    3) In most phishing attempts, the username will be fairly long (or at least, can be); but the dialog does not limit its length when putting it inline, which may render the entire dialog almost completely unreadable.

    A more readable dialog could be:

    “The URL you are attempting to access looks suspicious, and will take you to `example.com’, which is probably not your intended destination.

    Are you sure you want to proceed to that site?”

    …but the problem with prompts like this is that they pretty much destroy what is left of HTTP authentication by always implying malicious intent. You could just as well just disable HTTP auth support in URLs.

    /mz

  35. stucky Says:

    I for one no longer want to take part in developing for your retarded cousin you call a normal user.

    /endthread.

    Seriously, you’re all talking about warning messages as if they are blank and don’t have this thing we call writing on them.

    This is what I see when you describe it:
    ______________________
    | _____ |
    |____________[_OK_]__ _|

    If a user is not willing to read the simply written english/lamen termed dialog that is their problem not mine. Not yours either if you know whats good for you.

    Maybe you need to fork chrome into two different browsers.

    One for actual people that read things (and for those of us that actually know we can skip through and ignore shit - as well as when we shouldn’t).

    And then one for your retarded brother or whatever he is. In this one, if you sense something bad maybe happening you can flash the the words ‘READ THE FUCKING MESSAGE MORON’ in big bright red letters/glyphs/scribbles that are understandable only to these ape like creatures you were talking about.

    Man I hate Sundays.

    p.s. I know the general user is a bit of a tard sometimes, but the way you guys are talking is over the top and taking things way too far. The actual damaged caused by this kind of phishing is way to low to even bother changing how either of the browsers work. Any ’solutions’ you do find are likely to cost the general user far more in plain annoyance.

    How about we talk about some of the *real* problems and how we can fix them instead.

    priorities people?

  36. stucky Says:

    I hate you trim().

  37. progre55 Says:

    WOW, having read the entire topic together with the comments, I think I started to lose my trust in Google. I’m not saying I was a huge fan, and actually, never trusted Chrome, but this topic has slightly affected my bias against the company..

    btw, don’t even regret spending time reading the whole thing.

  38. AnonGeek Says:

    OK, I’m not going to comment on “Google: good or evil?” — I prefer to stick to the technical stuff.

    On the technical stuff, I’m with MZ. I expect these warnings will be confusing to many users. There’s a lot of research showing that users don’t understand these warnings and don’t respond like we’d wish them to. The lesson I’ve learned from reading user studies is that users are very slow to treat these kinds of warnings as indicators of attack. When they see these warnings, they’re first instinct is not necessarily to get suspicious and think “I’m being scammed”; their first instinct is often to think “aw, man, the Internet flaky is again”. Users are used to web sites temporarily not working right for no apparent reason, and used to the fact that if they click around a bit randomly (click OK a few times, click back and forward, hit reload, wait a few minutes, whatever), things will start to work again.

    So the only way I can see to design a warning that I’d expect will work reliably to protect users from these attacks is essentially to prohibit all use of HTTP authentication. Maybe someone else has a robust solution that takes into account human behavior, without rendering HTTP authentication useless; if so, I’m interested to hear it. But in the meantime, I’m not so sure that Chrome’s design choices here are ignorant or thoughtless.

    stucky, when you say ~”if this is how users behave, then I want no part in developing software for them”~, what you are really saying is “I don’t want to develop mass-market software”. Dude, this is the way the world is. Deal with it. If you can’t deal with it, don’t develop mass-market software. When mass-market software developers take this attitude, their software tends to suffer from security flaws, due to their unwillingness to take human behavior into account; you can’t build software that works well for ordinary users if you refuse to take into account empirical data on how users behave.

  39. RSnake Says:

    @AnonGeek - Right, let’s not bother confuse users. Having them be phished is much better. I’m no longer claiming ignorance… surprisingly Chrome devs think the very few cases of basic auth being used in URLs is worth the massive phishing potential. But there’s no reason to worry with Chrome right? The privacy leaking anti-phishing technology is there to save the day! Convenient!

  40. Darren Says:

    I wonder what the page rank of this particular article will be once google has finished trawling it :p

    Also, I wonder when google will remove images.de from their servers, considering it is copyright infringement in germany.

    Nevertheless, phishing comes down to social engineering, and so - while it will never be possible for any browser (without human capacity and understanding) to perhaps circumvent it, precautions can be done to make matters a little more complicated.

    Regardless of the user’s ability to read basic english - a firefox “dialog box” usually means something is wrong - perhaps if there was a page similar to the “Red this site contains malware” warning page - users would take more notice. It would be relatively simple to write a regex to see if the “username” of a http auth request was a valid url, and if so - then warn the user, because surely - not many people use a website as their username for http auth.