[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #20679 [- Select a component]: Tor Bowser Address Spoofing.

Subject: [tor-bugs] #20679 [- Select a component]: Tor Bowser Address Spoofing.
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 16 Nov 2016 04:15:38 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 15 Nov 2016 23:15:46 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#20679: Tor Bowser Address Spoofing.
--------------------------------------+-------------------------
     Reporter:  Dhiraj_Mishra         |      Owner:
         Type:  defect                |     Status:  new
     Priority:  Medium                |  Milestone:
    Component:  - Select a component  |    Version:
     Severity:  Major                 |   Keywords:  Tor Browser
Actual Points:                        |  Parent ID:
       Points:                        |   Reviewer:
      Sponsor:                        |
--------------------------------------+-------------------------
 Steps to reproduce the problem:
 Please find the attachment.

 1. Open http://hackies.in/spoof.html
 2. Hit Go.
 3. The Address Bar gets spoofed.

 Address Spoofing:
     Address bar says facebook.com
     Content is not facebook.com

 However by closing the spoofed tab the browser crashed.
 In my attempts to repro, the page always goes blank after a short delay,
 both on Linux and Windows.  I'm sure that it's possible to tweak the
 parameters to DoS the browser and delay the blank paint, but that's
 fragile and is unlikely to work well across machines.

 The timer setTimeout() is actually set to 4 seconds. Locally, the spoofed
 content gets displayed for the time mention in the code (Time value van be
 extended) to make the spoof page stable.

 Demo URL : http://hackies.in/spoof.html
 Please find the attachment for the reference.

 Thank you

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20679>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #20679 [Applications/Tor Browser]: Tor Bowser Address Spoofing.
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #20679 [Applications/Tor Browser]: Tor Bowser Address Spoofing.
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #20610 [Core Tor/Tor]: Rate limit router_pick_published_address log message
Next by Author: Re: [tor-bugs] #20364 [Metrics/Ooni]: Update debian/ubuntu packages of ooniprobe to 2.0.0
Previous by thread: Re: [tor-bugs] #2656 [Community/Translations]: Update howto.txt for BridgeDB, GetTor and TorCheck
Next by thread: Re: [tor-bugs] #20679 [Applications/Tor Browser]: Tor Bowser Address Spoofing.
Index(es):
- Author
- Thread