Closed
Bug 1218123
Opened 9 years ago
Closed 9 years ago
style sheet can read page's text (including input in form control) through abuse of 'unicode-range' descriptor
Categories
(Core :: Graphics: Text, defect)
Core
Graphics: Text
Tracking
()
RESOLVED
WONTFIX
| Tracking | Status | |
|---|---|---|
| firefox44 | --- | affected |
People
(Reporter: sjw+bugzilla, Unassigned)
References
()
Details
Attachments
(1 file)
|
5.68 KB,
text/html
|
Details |
A POC is already released, marking this as security-sensitive anyway. As Masato Kinugawa describes in his blog, how unicode-range can be used as a keylogger. Google marked this issue as won't fix, but it seems that he didn't report it to Mozilla (they will hopefully care a bit more).
"Source code of page can find out what keys are being pressed" isn't something new; it's been doable for years with DOM events (or, if form controls, reading the value of the control). Is the claim here that there's a category of things that CSS couldn't previously do, *and* that people are assuming that CSS can't do and reasonably depending on that assumption for security? (Are there cases where people use external libraries for downloadable fonts that are only linking to CSS and not linking to JS, which already has the ability to do this?) (There are certainly plenty of existing ways that untrusted CSS could attack a page; linking to style sheets you don't trust has already been a bad idea.)
Summary: Privacy/Security issue with unicode-range spec → style sheet can read page's text (including input in form control) through abuse of 'unicode-range' descriptor
|
||
Updated•9 years ago
|
Group: core-security → gfx-core-security
|
||
Comment 3•9 years ago
|
||
Adding Masato.
Given the lack of description of what the threat is here (who is the attacker, what are they attacking), I think we should open up this bug and mark it as WONTFIX.
(Actually, perhaps INVALID or WORKSFORME makes more sense than WONTFIX, since the issue is that I don't know what the threat being reported is.)
You can find a description about a scenario on the linked blogpost. tl;dr An attacker can use unicode-range to map characters to a specific url, which will allow him to log user inputs *without* using JavaScript. Of course this is a spec issue, but may be we find a way to mitigate this in Firefox. I just uploaded the scenario linked in the blogpost with a little modification. Just open the network monitor and type something in the input field.
Note: You need to allow mixed content for the POC, because it doesn't provide https :(
(In reply to sjw from comment #6) > An attacker can use unicode-range to map characters to a specific url, which > will allow him to log user inputs *without* using JavaScript. Two responses here: * that still doesn't say why this is a problem. Are there people who assume that's not the case * this should be doable with downloadable fonts even *without* unicode-range, so I don't even think there's anything new here. You just need to actually construct fonts with/without specific characters rather than writing the ranges in CSS. I guess it looks like I can't actually open up security bugs anymore.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
|
|
||
Comment 9•9 years ago
|
||
(In reply to David Baron [:dbaron] ⌚UTC-8 from comment #8) > > An attacker can use unicode-range to map characters to a specific url, which > > will allow him to log user inputs *without* using JavaScript. > > * that still doesn't say why this is a problem. Are there people who > assume that's not the case There are people who think that if they disable JavaScript they are safe from maliciousness and tracking. They are incorrect, but this surprises them.
Group: gfx-core-security
|
|
||
Comment 10•8 years ago
|
||
The behavior Masato Kinugawa describes in his blog is a real effect; WONTFIX seems a more appropriate resolution than INVALID.
Resolution: INVALID → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•