1783265 - External authentication prompt injection via unsafe remote file include at https://direct.firefox-newtab-proxy.getpocket.com/docs

Status: RESOLVED DUPLICATE of bug 1783266

(Websites :: Other, task)

Description

[todayisnew]

Good day, I truly hope it treats you great on your side of the screen :)

I have found that your have a site which is vulnerable to a remote file include to an arbitrary host - in this case, I am able to load my own content from todayisnewpoc.surge.sh.

There is sanitization of the data being loaded from todayisnewpoc.surge.sh, which can prevent some common attack vectors/know payloads, but I am still able to inject a custom authentication prompt which loads when visiting the page.

This prompt is being served from an arbitrary location (authorization.site), which can be modified as needed to be as convincing as possible to any possible victim. Imagine yourdomain.authorization.site, for example. Depending on the browser being used, a message can be included along with the prompt to make it seem more trustworthy.

When a victim enters their information into the prompt, it is sent to the arbitrary location being used by the attacker (authorization.site) along with their IP address, and stored in plain text for the attacker to use when desired.

Additionally, if the victim closes the first prompt, an attacker can serve arbitrary text on the page to encourage them to authorize. If they do so by clicking on the Authorize button, then clicking on the subsequent Authorize button, the victim will again be shown my external authentication prompt from authorization.site

POC:

https://direct.firefox-newtab-proxy.getpocket.com/docs?url=https://todayisnewpoc.surge.sh/auth2.yaml

How to fix: Restrict the ability to load external json/yaml files via the configUrl and url parameters, or implement an allowed-list for domains which can load via these parameters.

May you be well on your side of the screen :)

-Eric