Closed Bug 1389674 Opened 8 years ago Closed 8 years ago

Bookmark this link XSS

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
1.0 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 249747

People

(Reporter: s.h.h.n.j.k, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 Steps to reproduce: 1. Go to https://test.shhnjk.com/add_read.html 2. Right click the link and click Bookmark this link 3. Click on saved bookmark and XSS! Actual results: Link was pointing to https://bing.com (you can confirm by hover overing it), but when right clicked, it fires oncontextmenu event and changes the URL to javascript URL. Bookmark takes *changed* URL to bookmark, and the fact that added link is not visible before and after bookmark, allowing attacker to silently injecting javascript to bookmark. Expected results: URL should be taken more early or URL to be registered to the bookmark should be visible to user.
(In reply to Jun from comment #0) > URL should be taken more early This is a losing battle, see https://bugzilla.mozilla.org/show_bug.cgi?id=229050#c27 . In any case, even attempting this would also break "legitimate" (or at least, non-sec-exploity, such as tracking) usecases, without ever really fixing the fundamental issue. > or URL to be registered to the bookmark > should be visible to user. bug 371923 seems like the most obvious solution here. In any case, this is an old, well-known issue.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
14 years old bug!!? Nice :D
You need to log in before you can comment on or make changes to this bug.