Android Chrome Address Bar Spoofing (R7-2015-07)
Due to a problem in handling 204 "No Content" responses combined with a window.open event, an attacker can cause the stock Chrome browser on Android to render HTML pages in a misleading context. This effect was confirmed on an Android device running Lollipop (5.0). An attacker could use this vulnerability to convince a victim of a phishing e-mail, text, or link to enter private credentials to an untrusted page controlled by the attacker.
Rafay Baloch discovered the vulnerability, and worked with Joe Vennix to improve the proof of concept to demonstrate the vulnerability. Both are independent researchers who worked with Rapid7 to handle disclosure, per Rapid7's disclosure policy.
Rafay Baloch has provided a detailed analysis of this bug, including a proof of concept demonstration, at his site, Rafay's Hacking Articles. An example, unrendered version of the proof of concept from Joe Vennix can be seen at this JSFiddle.
The Android security team responded to Rapid7 that, upon learning of the vulnerability, patches were committed to both KitKat (4.4.x) and Lollipop (5.0.x) main distributions. Users are advised to contact their carriers to determine if they have received updated versions of these operating systems.
In the event that patches are unavailable for a particular handset or carrier, users are advised to avoid using the Chrome browser to perform authentication, especially when following links from untrusted or unverifiable sources until patches are available.
- Mon, Feb 09, 2015: Reported to firstname.lastname@example.org by Rafay Baloch
- Thu, Mar 26, 2015: Disclosed to Rapid7 and Joe Vennix
- Wed, Apr 01, 2015: Proof of Concept improved by Joe Vennix
- Fri, Apr 03, 2015: Reported to email@example.com and CERT/CC by Rapid7
- Tue, Apr 07, 2015: Vendor responds, patch availabile on Lollipop
- Thu, Apr 30, 2015: Vendor responds, patch availabile on KitKat
- Mon, May 18, 2015: Public disclosure