Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Certificate Spoofing in Google Chrome for Android
From: "MustLive" <mustlive () websecurity com ua>
Date: Thu, 22 Dec 2011 23:16:38 +0200

Hello list!

I want to warn you about Certificate Spoofing in Google Chrome for Android. 
This vulnerability is low risk, but can be used by phishers for stealing 
certificates from legitimate sites for conducting phishing attacks.

-------------------------
Affected products:
-------------------------

Vulnerable are Google Chrome for Android 2.3.3 and previous versions (and 
possibly next versions).

----------
Details:
----------

Certificate Spoofing (WASC-12):

It's possible to use certificates from other sites via iframe (so I called 
this attack as Certificate Stealing). At that it's possible to do that not 
only for https, but for http sites. As you can see from my screenshots, http 
site (mine) got certificate from https site (of Google).

PoC screenshots:

http://websecurity.com.ua/uploads/2011/12/Google%20Chrome%20for%20Android-1.jpg
http://websecurity.com.ua/uploads/2011/12/Google%20Chrome%20for%20Android-2.jpg
http://websecurity.com.ua/uploads/2011/12/Google%20Chrome%20for%20Android-3.jpg
http://websecurity.com.ua/uploads/2011/12/Google%20Chrome%20for%20Android-4.jpg
http://websecurity.com.ua/uploads/2011/12/Google%20Chrome%20for%20Android-5.jpg

#1 - Open web site with iframe referenced to another site.
#2 - Select Page info in context menu.
#3 - There is "View certificate" button, but there must be no one, because 
it's http site.
#4, #5 - Current site has valid certificate of another site.

------------
Timeline:
------------

2011.12.10 - found vulnerability.
2011.12.20 - informed Google.
2011.12.21 - disclosed at my site.

I mentioned about this vulnerability at my site 
(http://websecurity.com.ua/5587/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Certificate Spoofing in Google Chrome for Android MustLive (Dec 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault