BMO is vulnerable to reverse tabbnabbing

RESOLVED FIXED

Status

()

RESOLVED FIXED
9 months ago
8 months ago

People

(Reporter: psiinon, Assigned: psiinon)

Tracking

(Blocks: 1 bug, {sec-moderate})

Production
sec-moderate

Details

(Assignee)

Description

9 months ago
BMO uses the link 'target' attribute for links to 3rd party sites without also using rel="noopener noreferrer".
This means that it is vulnerable to reverse tabnabbing as described here: https://www.owasp.org/index.php/Reverse_Tabnabbing

If the 3rd party sites are compromised then the attacker would be able to take control of the BMO tab that was used to open the link and replace it with a phishing site.
It looks like all of the 3rd party links I've found are https so theres no danger of an attacker hijacking a http link on an unsecured network.

I've submitted a PR to fix this: https://github.com/mozilla-bteam/bmo/pull/408

Its worth noting that in the PR I mistakenly mention "_blank" target links - it turns out that all target links that open a new tab are vulnerable. We've got a new version of the ZAP passive scan rule which detects these coming out, so if it finds any more vulnerable links I'll update this issue (and hopefully raise a new PR)

:dylan - let me konw if you need any more info about this
(Assignee)

Updated

9 months ago
Flags: needinfo?(dylan)
Flags: needinfo?(dylan)
Assignee: nobody → sbennetts
Group: bugzilla-security
Status: NEW → RESOLVED
Last Resolved: 8 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.