Hi I discovered that user website link is being opened in a new tab ( target="_blank" ), the page that opens in a new tab can hijack the initial tab and change its location using the window.opener property. This bug was tested on : Firefox, Chrome, Explorer This security flaw represents a huge risk when it exploited to trick users that click on the external link from profile to be a victim of a scam page because the redirecting is made in the background, while the user is focused on another tab. For example, I can set up a fake login page, so when the user open up the external link the initial page will be redirected to the fake login and the user won't notice the difference. Proof Of Concept : --------------------- 1. I hosted a page on my own website with the following code : <script> window.opener.location = "http://www.evil00.com"; </script> 2. Go to https://webmaker.org/en-US/user/reflected/ and change my personal website to the malicious link : http://www.yassineaboukir.com/test.html (you can test it) 3. Click on the link and you will notice that the initial tab will be hijacked and redirected to the malicious/fake page. Mitigation : ------------- 1. Don't open links in new tabs using the target="_blank"; 2. Set the window.opener attribute to null on the new tab before redirecting to the landing page. Best regards. Yassine ABOUKIR
Webmaker (and all our sites) should put rel=noreferrer on such links -- that will kill the opener as well as the referrer. Although tabnapping like this is a real spoofing attack technique there doesn't seem to be any attacker advantage in making a user think some other page is a webmaker profile page. A user might then try to log in, but our login scheme doesn't seem to use passwords (good!) so there's only limited value. This flaw doesn't need to be hidden. If anything publicizing that users need to recheck the URL of tabs they switch back to is protective to users -- any number of things (benign and otherwise) can cause a page to navigate and the tab may no longer be what the user expects.
Closing this bug as part of the Deprecation of the Webmaker Product on Bugzilla. If this issue needs to re resolved in another manner, re-file it in a new Product or find the associated project on Github (http://github.com/mozilla) and file an issue there. see bug 1347718