Redirecting a "victim" to another website when he tries to leave the "attacker's" webpage using the navigation bar or the back button.

RESOLVED DUPLICATE of bug 839470

Status

()

Firefox
Untriaged
RESOLVED DUPLICATE of bug 839470
2 years ago
2 years ago

People

(Reporter: Luan Herrera, Unassigned)

Tracking

42 Branch
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Created attachment 8666261 [details]
Javascript code to reproduce the attack.

User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36

Steps to reproduce:

1. Download index.html
2. Host the downloaded file on a local web server.
3. Open Firefox and visit http://127.0.0.1/index.html
4. Try to access another website using the navigation bar or the back button.


Actual results:

When the victim tries to access another webpage using the navigation bar or the back button, he gets redirected to an arbitrary page chosen by the attacker.


Expected results:

He should have been redirected to the page he was trying to access.
Flags: sec-bounty?
(Reporter)

Comment 1

2 years ago
Oh yes, I am asking for the bounty consideration, sorry for not making it clear on the report.
I can see the behavior where my first attempt to navigate away from the page is thwarted. However, with one more attempt, I'm able to escape just fine. 

Is this proof-of-concept something that could be made worse? Can you trap the user for more than one click? As is, it appears as a mild annoyance and probably not serious.
Flags: needinfo?(luan.herrera)
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Reporter)

Comment 3

2 years ago
(In reply to Matt Wobensmith from comment #2)
> I can see the behavior where my first attempt to navigate away from the page
> is thwarted. However, with one more attempt, I'm able to escape just fine. 
> 
> Is this proof-of-concept something that could be made worse? Can you trap
> the user for more than one click? As is, it appears as a mild annoyance and
> probably not serious.

Yes Matt, in my opinion it can made much worse.
It's possible to trap the user on your website for as many clicks as you want.
He won't be able to escape using the navigation bar, the back button nor the search bar. Just if he opens a new tab.

This also could be used to redirect the user to an arbitrary webpage when he tries to leave your website using the mentioned means above.

I uploaded a PoC of this on my website, check it on the link below:
http://lherrera.16mb.com/Firefox/noescape.html

But what makes me think this is potentially very harmful and very likely to be exploited is that it's possible to hijack the user's back button and then redirect him to a fake webpage.

I also uplodaded a PoC of this:
http://lherrera.16mb.com/Firefox/hijack.html

To reproduce simply click on the link above, then on the attacker's page, click on the back button.
You are supposed to be redirected back to https://bugzilla.mozilla.org/show_bug.cgi?id=1208668 but instead you are redirected to an arbitrary webpage controlled by the attacker. In the case of this PoC, a fake page asking for your credentials.

Any website that allows users to post <a tags> would be susceptible to this attack. And given that almost all websites that allow you to post something also allow you to post this tag, the scope of the attack is huge.
Flags: needinfo?(luan.herrera)
Interesting. Sometimes it becomes impossible to navigate out of this loop - as you mention - yet other times, it's easy. 

Regardless, I can see how this could be a real nuisance, and I'm sure we'd like to figure out what's going on here.
Version: 41 Branch → 42 Branch
Group: firefox-core-security
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 839470
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.