Closed Bug 1436075 Opened 7 years ago Closed 7 years ago

SOP Bypass using rel="noreferrer"

Categories

(Firefox :: Untriaged, defect)

58 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1420702

People

(Reporter: mishra.dhiraj95, Unassigned)

Details

Attachments

(1 file)

Attached image PoC.png
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0 Build ID: 20180131010234 Steps to reproduce: Hi Team, Info, Product Affected: Name Firefox Version 58.0.1 Build ID 20180131010234 OS Linux warmachine 4.13.0-32-generic #35~16.04.1-Ubuntu SMP Thu Jan 25 10:13:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux Summary: By default, any websites is passing the whole URL to any external domain (un-trusted third party domains) when the request was crossing between 2 domains, means if the user clicks an external link to a specific website, the whole URL will pass to the request header as part of a what we called Referer header. But many of the websites URL parameters value contains sensitive user information/data such as Password reset token, OAuth token, Email address and many more, therefor website owners use a what we called rel attribute on the html code with the value of noreferrer to avoid leaking sensitive data to external domains. However, we have found that the FireFox quantum seems ignoring the rel="noreferrer" attribute of an <a> tag which will put quantum users in risk. Actual results: For example: HackerOne application (http://hackerone.com/) is strict when it comes to information sharing , because they do not allow anyone from third party domains to have access to hackerone users informations, because of that hackerone footer twitter external link contains the following code: <a class="footer-nav-item-link icon-share-twitter" href="https://twitter.com/hacker0x01" target="_blank" rel="noreferrer noopener"></a> When we click on the external twitter link and capture the request, the request header still contains referrer header that contains the full URL. Steps To Reproduce: 1. Find any website page that contains external link (e.g twitter, facebook, etc.) most of the external link will be found on the footer as part of their social link ads. 2. Make sure that the external link you found have a rel="noreferrer" attribute on its <a> tag or similar to what i have mentioned above in case of hackerone footer. 3. Click the external link and capture the request using burpsuite. 4. Observed the request header still have Referer header despite the website owner put a rel="noreferrer" on their <a> tag that contains hyper-link to external domains. Attached PoC for reference, request team to kindly look into this and advise. Expected results: Massive information leakage without knowledge of FF users PS: Robin and I have work together for this bug, request moderators to give access to Robin for this thread (robindivino@gmail.com).
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: