1487965 - Cross-Origin URL Steal is possible using performance.getEntries()

Status: RESOLVED DUPLICATE of bug 1487964

(Core :: DOM: Navigation, defect)

Description

[James Lee]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36

Steps to reproduce:

This is a variant of https://bugzilla.mozilla.org/show_bug.cgi?id=1487964. We don't need to run the main page inside an iframe, also note that while the original bug works on both latest and older version of Firefox, this one only works on latest Firefox Nightly. The original bug do not affect Microsoft Edge but this does affect Microsoft Edge.

First, we are using Resource Timing API to confuse this browser and this functionality problem ends up being a security bug.

We are navigating the cross-origin page inside an embed tag. We can fool the browser, we are able to access cross-origin URLs.

This allows us to access information across origins.

Test live on: http://pwning.click/redirffeg2.php

Proof Of Concept:

redirffeg2.php:

<embed src="/conff.php">
<script>
setTimeout(function(){alert(performance.getEntriesByType("resource")[2].name)},5000);
</script>

conff.php:

<Script>location="https://www.bing.com/search?q=test"</script>


Tested on Firefox Nightly 63.0a1 (2018-08-31) (64-bit)





Actual results:

Mozilla Firefox allows us to access Cross-Origin URL.


Expected results:

Accessing to Cross-Origin URL should be not possible.

Comment 1

[James Lee]

Note that this only works on Firefox Nightly for Firefox browser.

Comment 2

[:Gijs (he/him)]

Same as for bug 1487964, Dragana, can you have a look?

Comment 3

[Daniel Veditz [:dveditz]]

This is probably the same code bug as 1487964, but we'll see when we get it fixed.

Comment 4

[Honza Bambas (:mayhemer)]

I think this is duplicate of 1487964.

Comment 5

[David Lawrence [:dkl]]

Removing employee no longer with company from CC list of private bugs.