Closed Bug 1402623 Opened 7 years ago Closed 7 years ago

Data URL Redirection through TabNapping

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
55 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1401895

People

(Reporter: anasmahmood999, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:55.0) Gecko/20100101 Firefox/55.0
Build ID: 20170824053622
Firefox for Android

Steps to reproduce:

First of all visit this link

http://thewhitehatblog.blogspot.com/2017/09/wht-2.html

and click on 'Click Me'.

Your previous tab will be redirected to http://evilzone.org due to Tabnapping.

OK

No Problem 

Now visit this link 

http://thewhitehatblog.blogspot.com/2017/09/whitehat-testing.html

and click on 'Click Me'.

Your previous tab will be redirected to data uri.

Check and Observe this, on latest version of 'Google Chrome' and 'Mozilla Firefox'.

Firefox redirected to data uri but chrome doesn't redirect through Tabnapping.

Find any vulnerable site, Facebook and Google is also affected by Tabnapping, find tabnapping vulnerability or vulnerable site then perform tabnapping and enter this link http://thewhitehatblog.blogspot.com/2017/09/whitehat-testing.html when u click this link your opener window will be hijacked and redirected to Data uri in Firefox but doesn't redirects in Chrome.

Read More about TabNapping at 
https://www.cybrary.it/0p3n/tabnapping-protection-prevention-techniques/

Attack Scenario: Attacker can redirect firefox users to data uri through TabNapping and can perform any malicious or malware and suspicious activities.

Let me know if u have any question or need more info.
Thanks
Cheers
Anas


Actual results:

Redirected to Data Uri


Expected results:

Shouldn't Redirected to Data Uri
Many sites including Facebook and Google is affected by TabNapping.So attacker can redirect Firefox users to data Uri very easily through Facebook and other sites but can not redirect in chrome.
If tabnapping is a site problem, how is a data: url any different/worse than any other arbitrary attempt to spoof the user through tabnapping? Either the user looks at the address bar or they don't, and if they do a data: url isn't facebook.com any more than spoofer.com is.

To the extent this bug is "behave like Chrome wrt data: urls" that's bug 1401895
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.