Data URL phishing has Google thinking restrictions.
Chrome is considering limiting the functionality of data: URLs in order to curb mis-use of the URL scheme by phishers.
Data: is a URL scheme, similar to schemes like http: and tel: which most users are more familiar with. Each one of these has a unique function. The function of data: is to contain data within the URL itself.
A legitimate use of a data: URL would be to reduce the number of HTTP requests a website needs to make, or to display dynamically-generated content within the browser. However, phishers often use data: URLs in their malicious activity.
What makes data: URLs so effective for phishing is that webpages can redirect to, or be opened via a link and displayed as stand-alone pages. They can also circumvent certain detection methods and filtering.
This would mean the only way to directly open data: URLs would be to type or paste them in. In proposing this change, Chrome’s engineers noted that Microsoft’s Internet Explorer and Edge browsers already block all top-frame navigations to data: URLs.
Website’s that would want to continue using data: URLs would need to use them in-line through iframes or loaded as resources on the page, instead of as their own pages.
Chrome has already made the decision to label all data: URLs as “Not Secure,” with a patch to Chrome 56. This is the same treatment that HTTP pages containing password/credit card fields are now given.
The Danger of Data:
Unlike an HTTP URL, which is a path to data, a data: URL is the data itself. One way to think of it is that a data: URL can actually be a phishing site. Here is an example of a very simple data: URL:
data:text/html, This is a data URL!
If you paste that into your address bar, it will display a page that says “This is a data URL!”
Dosen’t seem too dangerous, right?
Data: URLs can also contain arbitrary HTML, images, and other types of data. You can even embed script tags that load external files. Data URLs can also use encoding to obscure what they are doing. While a jumble of letters and numbers may not look very legitimate, it can be combined with other tactics to be an effective mask.
Attackers can pack a data URL with blank spaces to “hide” the full URL. Matthew Bryant put together a demo where he constructed a data URL that mimics Yahoo.com. While the layout is not perfect, it is a fairly good example of how a data URL could be an effective phishing tool:
What you aren’t seeing in the screenshot above is that the URL continues far past the end of the address bar, where it is hiding a script tag that is loading the malicious form. Click here to see this proof of concept live in your browser.
Chrome’s engineers noted that data: URLs accounted for 0.05% of all top-frame navigations over the last 28 days. This may seem small, but it is actually a rather large percentage for a feature that is being considered for removal. However, given the sheer number of cases and complaints of phishing, the danger appears to outweigh legitimate use.
Before Chrome makes changes they usually solicit comments from other Google engineers and the public in the form of an “Intent To” thread. So far, there is support from multiple engineers to have navigation to data: URLs limited. However, they may ultimately decide not to make the change if it will break a significant portion of the web. If you want to voice your comments on this change, you can do so here.