Closed Bug 1150084 Opened 9 years ago Closed 7 years ago

Window opener property bug leading to tab hijacking

Categories

(Webmaker Graveyard :: General, defect)

Product:
Webmaker Graveyard
Component:
General
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: yaaboukir, Unassigned)

Details

(Keywords: sec-low) 

Hi

I discovered that user website link is being opened in a new tab ( target="_blank" ), the page that opens in a new tab can hijack the initial tab and change its location using the window.opener property.
This bug was tested on : Firefox, Chrome, Explorer
This security flaw represents a huge risk when it exploited to trick users that click on the external link from profile to be a victim of a scam page because the redirecting is made in the background, while the user is focused on another tab.
For example, I can set up a fake login page, so when the user open up the external link the initial page will be redirected to the fake login and the user won't notice the difference.

Proof Of Concept :
---------------------

1. I hosted a page on my own website with the following code : 
<script>
window.opener.location = "http://www.evil00.com";
</script>
2. Go to https://webmaker.org/en-US/user/reflected/ and change my personal website to the malicious link : http://www.yassineaboukir.com/test.html (you can test it)
3. Click on the link and you will notice that the initial tab will be hijacked and redirected to the malicious/fake page.

Mitigation :
-------------
1. Don't open links in new tabs using the target="_blank";
2. Set the window.opener attribute to null on the new tab before redirecting to the landing page.

Best regards.
Yassine ABOUKIR
Webmaker (and all our sites) should put rel=noreferrer on such links -- that will kill the opener as well as the referrer.

Although tabnapping like this is a real spoofing attack technique there doesn't seem to be any attacker advantage in making a user think some other page is a webmaker profile page. A user might then try to log in, but our login scheme doesn't seem to use passwords (good!) so there's only limited value.

This flaw doesn't need to be hidden. If anything publicizing that users need to recheck the URL of tabs they switch back to is protective to users -- any number of things (benign and otherwise) can cause a page to navigate and the tab may no longer be what the user expects.
Group: websites-security
Keywords: sec-low
Closing this bug as part of the Deprecation of the Webmaker Product on Bugzilla. If this issue needs to re resolved in another manner, re-file it in a new Product or find the associated project on Github (http://github.com/mozilla) and file an issue there.

see bug 1347718
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.