Closed
Bug 1441475
Opened 6 years ago
Closed 6 years ago
BMO is vulnerable to reverse tabbnabbing
Categories
(bugzilla.mozilla.org :: General, enhancement)
Tracking
()
RESOLVED
FIXED
People
(Reporter: psiinon, Assigned: psiinon)
Details
(Keywords: sec-moderate)
BMO uses the link 'target' attribute for links to 3rd party sites without also using rel="noopener noreferrer". This means that it is vulnerable to reverse tabnabbing as described here: https://www.owasp.org/index.php/Reverse_Tabnabbing If the 3rd party sites are compromised then the attacker would be able to take control of the BMO tab that was used to open the link and replace it with a phishing site. It looks like all of the 3rd party links I've found are https so theres no danger of an attacker hijacking a http link on an unsecured network. I've submitted a PR to fix this: https://github.com/mozilla-bteam/bmo/pull/408 Its worth noting that in the PR I mistakenly mention "_blank" target links - it turns out that all target links that open a new tab are vulnerable. We've got a new version of the ZAP passive scan rule which detects these coming out, so if it finds any more vulnerable links I'll update this issue (and hopefully raise a new PR) :dylan - let me konw if you need any more info about this
Assignee | ||
Updated•6 years ago
|
Flags: needinfo?(dylan)
Updated•6 years ago
|
Flags: needinfo?(dylan)
Updated•6 years ago
|
Assignee: nobody → sbennetts
Group: bugzilla-security
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•