Closed Bug 1518942 Opened 5 years ago Closed 5 years ago

Hijack/Prevent Address Bar and Bookmark Navigation

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1263100

People

(Reporter: gshively11, Unassigned)

References

(
URL
)

Details

(Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

hijack_navigation.html
491 bytes, text/html
Details
Attached file hijack_navigation.html

We found this while testing one of our web applications. We reproduced the bug on the latest public version of Firefox (64) for macOS 10.13 and Windows 10. See the attached html page to reproduce the issue.

Performing an asynchronous window.location.assign call in beforeunload will overwrite the navigation performed by the address bar or when clicking on a bookmark url.

This could be used in a couple of ways:

  • Phishing attacks for commonly visited websites (user navigates to facebook.com via bookmark or address bar, but is actually sent to a convincing phishing website with a similar-looking domain).
  • Prevent users from navigating away from a page (send user back to the current location), useful for malicious advertisements.

This is actually a slightly more severe spinoff from Bug 1404513 which was never addressed. This new version impacts bookmark links in addition to address bar navigation.

If you want a pre-hosted example of this bug, you can use this sandbox: https://j368lwy603.codesandbox.io/

Flags: sec-bounty?

It also overrides the navigation from the search bar. The only thing it doesn't seem to override is the back/forward buttons.

Thanks for the report. Unfortunately, this is a duplicate. The duplicate is already public, so making this public, too.

I appreciate that bugzilla's search is... arcane and tricky to get used to, but for reference, quicksearching for 'beforeunload location' turns up the duplicate bug here.

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE

Should Bug 1404513 be marked as a duplicate as well then? It's basically the same issue, just triggered in a different manner.

Flags: needinfo?(gijskruitbosch+bugs)

(In reply to Grant Shively from comment #3)

Should Bug 1404513 be marked as a duplicate as well then? It's basically the same issue, just triggered in a different manner.

Does it use beforeunload? I don't see it doing so from a very quick skim (sorry, a bit too much to try to get to today).

Flags: needinfo?(gijskruitbosch+bugs) → needinfo?(gshively11)

It doesn't, it uses focus instead. Navigating via the address bar triggers one final focus on the page, and we figured out a way to detect that last focus, so we use it to trigger an asynchronous window.location.assign, which is the heart of the bug. This method doesn't hijack as many navigation methods as beforeunload does, but it's still using the same core bug.

Flags: needinfo?(gshively11) → needinfo?(gijskruitbosch+bugs)

(In reply to Grant Shively from comment #5)

It doesn't, it uses focus instead. Navigating via the address bar triggers one final focus on the page, and we figured out a way to detect that last focus, so we use it to trigger an asynchronous window.location.assign, which is the heart of the bug. This method doesn't hijack as many navigation methods as beforeunload does, but it's still using the same core bug.

I'm ultimately not sure. I'll ask someone more familiar with DOM on that bug.

Flags: needinfo?(gijskruitbosch+bugs)
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: