Reported by th...@inbox.com, May 9
Universal XSS by using "..;@" within the url :~D
Chrome Version: [66.0.3359.122] + [stable]
Operating System: [iOS]
Basically if we run this javascript code " history.replaceState('','','..;@www.google.com:%3443/') " from any domain using "HTTPS:" our URL domain is being replaced to that one..
For example: if this code is run on my site https://web-safety.net/ the the url is being replaced to https://www.google.com yet the contents remain under my control.. Therefore etc. we can run unrestricted XHR requests as long as the path is not absolute ('../myAccountInfo','../../SomeOtherSensitiveInformation')
Proof of Concept displaying Cookies in an iframe from https://www.google.com https://web-safety.net/uxss_ios.html
This should work fine on any iOS on Chrome
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=841105