Chrome Considers Restricting Data URLs to Combat Phishing
Data URL phishing has Google thinking restrictions.
Chrome is considering limiting the functionality of data: URLs in order to curb mis-use of the URL scheme by phishers.
Data: is a URL scheme, similar to schemes like http: and tel: which most users are more familiar with. Each one of these has a unique function. The function of data: is to contain data within the URL itself.
A legitimate use of a data: URL would be to reduce the number of HTTP requests a website needs to make, or to display dynamically-generated content within the browser. However, phishers often use data: URLs in their malicious activity.
What makes data: URLs so effective for phishing is that webpages can redirect to, or be opened via a link and displayed as stand-alone pages. They can also circumvent certain detection methods and filtering.
This would mean the only way to directly open data: URLs would be to type or paste them in. In proposing this change, Chrome’s engineers noted that Microsoft’s Internet Explorer and Edge browsers already block all top-frame navigations to data: URLs.
Website’s that would want to continue using data: URLs would need to use them in-line through iframes or loaded as resources on the page, instead of as their own pages.
Chrome has already made the decision to label all data: URLs as “Not Secure,” with a patch to Chrome 56. This is the same treatment that HTTP pages containing password/credit card fields are now given.
The Danger of Data:
Unlike an HTTP URL, which is a path to data, a data: URL is the data itself. One way to think of it is that a data: URL can actually be a phishing site. Here is an example of a very simple data: URL:
data:text/html, This is a data URL!
If you paste that into your address bar, it will display a page that says “This is a data URL!”
Dosen’t seem too dangerous, right?
Data: URLs can also contain arbitrary HTML, images, and other types of data. You can even embed script tags that load external files. Data URLs can also use encoding to obscure what they are doing. While a jumble of letters and numbers may not look very legitimate, it can be combined with other tactics to be an effective mask.
Attackers can pack a data URL with blank spaces to “hide” the full URL. Matthew Bryant put together a demo where he constructed a data URL that mimics Yahoo.com. While the layout is not perfect, it is a fairly good example of how a data URL could be an effective phishing tool:
What you aren’t seeing in the screenshot above is that the URL continues far past the end of the address bar, where it is hiding a script tag that is loading the malicious form. Click here to see this proof of concept live in your browser.
Chrome’s engineers noted that data: URLs accounted for 0.05% of all top-frame navigations over the last 28 days. This may seem small, but it is actually a rather large percentage for a feature that is being considered for removal. However, given the sheer number of cases and complaints of phishing, the danger appears to outweigh legitimate use.
Before Chrome makes changes they usually solicit comments from other Google engineers and the public in the form of an “Intent To” thread. So far, there is support from multiple engineers to have navigation to data: URLs limited. However, they may ultimately decide not to make the change if it will break a significant portion of the web. If you want to voice your comments on this change, you can do so here.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown