Closed
Bug 1436075
Opened 7 years ago
Closed 7 years ago
SOP Bypass using rel="noreferrer"
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1420702
People
(Reporter: mishra.dhiraj95, Unassigned)
Details
Attachments
(1 file)
44.70 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
Build ID: 20180131010234
Steps to reproduce:
Hi Team,
Info, Product Affected:
Name Firefox
Version 58.0.1
Build ID 20180131010234
OS
Linux warmachine 4.13.0-32-generic #35~16.04.1-Ubuntu SMP Thu Jan 25 10:13:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Summary:
By default, any websites is passing the whole URL to any external domain (un-trusted third party domains) when the request was crossing between 2 domains, means if the user clicks an external link to a specific website, the whole URL will pass to the request header as part of a what we called Referer header.
But many of the websites URL parameters value contains sensitive user information/data such as Password reset token, OAuth token, Email address and many more, therefor website owners use a what we called rel attribute on the html code with the value of noreferrer to avoid leaking sensitive data to external domains.
However, we have found that the FireFox quantum seems ignoring the rel="noreferrer" attribute of an <a> tag which will put quantum users in risk.
Actual results:
For example:
HackerOne application (http://hackerone.com/) is strict when it comes to information sharing , because they do not allow anyone from third party domains to have access to hackerone users informations, because of that hackerone footer twitter external link contains the following code:
<a class="footer-nav-item-link icon-share-twitter" href="https://twitter.com/hacker0x01" target="_blank" rel="noreferrer noopener"></a>
When we click on the external twitter link and capture the request, the request header still contains referrer header that contains the full URL.
Steps To Reproduce:
1. Find any website page that contains external link (e.g twitter, facebook, etc.) most of the external link will be found on the footer as part of their social link ads.
2. Make sure that the external link you found have a rel="noreferrer" attribute on its <a> tag or similar to what i have mentioned above in case of hackerone footer.
3. Click the external link and capture the request using burpsuite.
4. Observed the request header still have Referer header despite the website owner put a rel="noreferrer" on their <a> tag that contains hyper-link to external domains.
Attached PoC for reference, request team to kindly look into this and advise.
Expected results:
Massive information leakage without knowledge of FF users
PS:
Robin and I have work together for this bug, request moderators to give access to Robin for this thread (robindivino@gmail.com).
Updated•7 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Updated•4 years ago
|
Group: firefox-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•