Chrome address spoofing vulnerability proof-of-concept for HTTPS. (Original by David Leo.)
Switch branches/tags
Nothing to show
Clone or download
Latest commit d8ef304 Jul 2, 2015
Failed to load latest commit information. Update Jul 2, 2015
content.html fix Jul 2, 2015
index.html init Jul 2, 2015
screenshot.png add screen Jul 2, 2015

This is a modification of a proof-of-concept of a chrome address spoofing flaw published by David Leo (david.leo () deusen co uk) on the Full Disclosure mailing list.

(According to the original publication, this was reported to Google but it was regarded as a non-vulnerability.)

This version spoofs the HTTPS version of Surprisingly, it even shows the certificate in green:

You can try a live demo but note that you may have to try it a few times for it to work. There's a connection timing condition involved. However if you clone the repo locally, it should work 100% of the time.

Note that you can't interact with the spoofed web page, making the severity of this vulnerability limited as it can't be used to do direct phishing.