Closed
Bug 1208668
Opened 9 years ago
Closed 9 years ago
Redirecting a "victim" to another website when he tries to leave the "attacker's" webpage using the navigation bar or the back button.
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 839470
People
(Reporter: luan.herrera, Unassigned)
Details
Attachments
(1 file)
|
486 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36 Steps to reproduce: 1. Download index.html 2. Host the downloaded file on a local web server. 3. Open Firefox and visit http://127.0.0.1/index.html 4. Try to access another website using the navigation bar or the back button. Actual results: When the victim tries to access another webpage using the navigation bar or the back button, he gets redirected to an arbitrary page chosen by the attacker. Expected results: He should have been redirected to the page he was trying to access.
|
||
Updated•9 years ago
|
Flags: sec-bounty?
|
Reporter | |
Comment 1•9 years ago
|
||
Oh yes, I am asking for the bounty consideration, sorry for not making it clear on the report.
|
||
Comment 2•9 years ago
|
||
I can see the behavior where my first attempt to navigate away from the page is thwarted. However, with one more attempt, I'm able to escape just fine. Is this proof-of-concept something that could be made worse? Can you trap the user for more than one click? As is, it appears as a mild annoyance and probably not serious.
Flags: needinfo?(luan.herrera)
|
|
||
Updated•9 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
Reporter | |
Comment 3•9 years ago
|
||
(In reply to Matt Wobensmith from comment #2) > I can see the behavior where my first attempt to navigate away from the page > is thwarted. However, with one more attempt, I'm able to escape just fine. > > Is this proof-of-concept something that could be made worse? Can you trap > the user for more than one click? As is, it appears as a mild annoyance and > probably not serious. Yes Matt, in my opinion it can made much worse. It's possible to trap the user on your website for as many clicks as you want. He won't be able to escape using the navigation bar, the back button nor the search bar. Just if he opens a new tab. This also could be used to redirect the user to an arbitrary webpage when he tries to leave your website using the mentioned means above. I uploaded a PoC of this on my website, check it on the link below: http://lherrera.16mb.com/Firefox/noescape.html But what makes me think this is potentially very harmful and very likely to be exploited is that it's possible to hijack the user's back button and then redirect him to a fake webpage. I also uplodaded a PoC of this: http://lherrera.16mb.com/Firefox/hijack.html To reproduce simply click on the link above, then on the attacker's page, click on the back button. You are supposed to be redirected back to https://bugzilla.mozilla.org/show_bug.cgi?id=1208668 but instead you are redirected to an arbitrary webpage controlled by the attacker. In the case of this PoC, a fake page asking for your credentials. Any website that allows users to post <a tags> would be susceptible to this attack. And given that almost all websites that allow you to post something also allow you to post this tag, the scope of the attack is huge.
Flags: needinfo?(luan.herrera)
|
|
||
Comment 4•9 years ago
|
||
Interesting. Sometimes it becomes impossible to navigate out of this loop - as you mention - yet other times, it's easy. Regardless, I can see how this could be a real nuisance, and I'm sure we'd like to figure out what's going on here.
Version: 41 Branch → 42 Branch
|
||
Updated•9 years ago
|
Group: firefox-core-security
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty-
You need to log in
before you can comment on or make changes to this bug.
Description
•