Closed Bug 1402623 Opened 2 years ago Closed 2 years ago
Data URL Redirection through Tab
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:55.0) Gecko/20100101 Firefox/55.0 Build ID: 20170824053622 Firefox for Android Steps to reproduce: First of all visit this link http://thewhitehatblog.blogspot.com/2017/09/wht-2.html and click on 'Click Me'. Your previous tab will be redirected to http://evilzone.org due to Tabnapping. OK No Problem Now visit this link http://thewhitehatblog.blogspot.com/2017/09/whitehat-testing.html and click on 'Click Me'. Your previous tab will be redirected to data uri. Check and Observe this, on latest version of 'Google Chrome' and 'Mozilla Firefox'. Firefox redirected to data uri but chrome doesn't redirect through Tabnapping. Find any vulnerable site, Facebook and Google is also affected by Tabnapping, find tabnapping vulnerability or vulnerable site then perform tabnapping and enter this link http://thewhitehatblog.blogspot.com/2017/09/whitehat-testing.html when u click this link your opener window will be hijacked and redirected to Data uri in Firefox but doesn't redirects in Chrome. Read More about TabNapping at https://www.cybrary.it/0p3n/tabnapping-protection-prevention-techniques/ Attack Scenario: Attacker can redirect firefox users to data uri through TabNapping and can perform any malicious or malware and suspicious activities. Let me know if u have any question or need more info. Thanks Cheers Anas Actual results: Redirected to Data Uri Expected results: Shouldn't Redirected to Data Uri
Many sites including Facebook and Google is affected by TabNapping.So attacker can redirect Firefox users to data Uri very easily through Facebook and other sites but can not redirect in chrome.
If tabnapping is a site problem, how is a data: url any different/worse than any other arbitrary attempt to spoof the user through tabnapping? Either the user looks at the address bar or they don't, and if they do a data: url isn't facebook.com any more than spoofer.com is. To the extent this bug is "behave like Chrome wrt data: urls" that's bug 1401895
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1401895
You need to log in before you can comment on or make changes to this bug.