Closed Bug 1441475 Opened 6 years ago Closed 6 years ago

BMO is vulnerable to reverse tabbnabbing

Categories

(bugzilla.mozilla.org :: General, enhancement)

Product:
bugzilla.mozilla.org
Component:
General
Version:
Production
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: psiinon, Assigned: psiinon)

Details

(Keywords: sec-moderate) 

BMO uses the link 'target' attribute for links to 3rd party sites without also using rel="noopener noreferrer".
This means that it is vulnerable to reverse tabnabbing as described here: https://www.owasp.org/index.php/Reverse_Tabnabbing

If the 3rd party sites are compromised then the attacker would be able to take control of the BMO tab that was used to open the link and replace it with a phishing site.
It looks like all of the 3rd party links I've found are https so theres no danger of an attacker hijacking a http link on an unsecured network.

I've submitted a PR to fix this: https://github.com/mozilla-bteam/bmo/pull/408

Its worth noting that in the PR I mistakenly mention "_blank" target links - it turns out that all target links that open a new tab are vulnerable. We've got a new version of the ZAP passive scan rule which detects these coming out, so if it finds any more vulnerable links I'll update this issue (and hopefully raise a new PR)

:dylan - let me konw if you need any more info about this
Flags: needinfo?(dylan)
Flags: needinfo?(dylan)
Assignee: nobody → sbennetts
Group: bugzilla-security
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.