BMO is vulnerable to reverse tabbnabbing

RESOLVED FIXED

Status

()

enhancement
RESOLVED FIXED
a year ago
a year ago

People

(Reporter: psiinon, Assigned: psiinon)

Tracking

(Blocks 1 bug, {sec-moderate})

Production

Firefox Tracking Flags

(Not tracked)

Details

(Assignee)

Description

a year ago
BMO uses the link 'target' attribute for links to 3rd party sites without also using rel="noopener noreferrer".
This means that it is vulnerable to reverse tabnabbing as described here: https://www.owasp.org/index.php/Reverse_Tabnabbing

If the 3rd party sites are compromised then the attacker would be able to take control of the BMO tab that was used to open the link and replace it with a phishing site.
It looks like all of the 3rd party links I've found are https so theres no danger of an attacker hijacking a http link on an unsecured network.

I've submitted a PR to fix this: https://github.com/mozilla-bteam/bmo/pull/408

Its worth noting that in the PR I mistakenly mention "_blank" target links - it turns out that all target links that open a new tab are vulnerable. We've got a new version of the ZAP passive scan rule which detects these coming out, so if it finds any more vulnerable links I'll update this issue (and hopefully raise a new PR)

:dylan - let me konw if you need any more info about this
(Assignee)

Updated

a year ago
Flags: needinfo?(dylan)
Flags: needinfo?(dylan)
Assignee: nobody → sbennetts
Group: bugzilla-security
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.