Closed Bug 1837840 Opened 1 year ago Closed 1 year ago

Exploitation of User Trust through Back button or History page

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 741050

People

(Reporter: vijay.tikudave, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(2 files)

spoof.html
500 bytes, text/html
Details
screenshot.png
81.45 KB, image/png
Details
Attached file spoof.html

Description:
By initially opening a legitimate website (https://google.com) and then replacing the URL when on back button of browser trigger direct download link to an executable file eg. (http://pub.agrarix.net/Windows/7-zip/7z922.exe), the script tricks users into unknowingly downloading a file or load malicious link without their consent or awareness.

Tested on :
Latest version of firefox for win desktop version

Impact:
The impact of this vulnerability includes:

Unauthorized File Download: Users are subjected to an automatic file download without their knowledge or consent.
Potential Malware Distribution: Users may unknowingly download and execute malicious files, exposing their systems to malware or other harmful code.
Risk of Phishing Attacks: The deceptive behavior of the script can be leveraged to trick users into downloading files that appear to be legitimate but are designed to collect sensitive information or perform phishing attacks.
Exploitation of User Trust: By opening a trusted website initially and then switching to a completely unrelated and potentially harmful download, the vulnerability undermines user trust in the web page and its intentions.

Exploit & Steps to Reproduce:
To exploit this vulnerability, an adversary can follow these steps to reproduce the issue:

  1. Access the vulnerable web page using a compatible browser.
  2. Click on the "Open Google" button.
  3. Observe that a new window/tab is opened, seemingly navigating to https://google.com.
  4. click on back button , After a delay of 2 seconds, the URL is replaced with http://pub.agrarix.net/Windows/7-zip/7z922.exe.
  5. Notice that the browser automatically triggers a file download without user consent.
Flags: sec-bounty?
Attached image screenshot.png
  1. Access the 'spoof.html' web page using a compatible browser.
  2. Click on the "Open Google" button.
  3. Observe that the browser tab appears to navigate to 'www.google.com'.
  4. Use the browser's back button to view the browsing history.
  5. Notice that the displayed history indicates navigation to the 'Bugzilla' attachment page.
  6. Click the back button.
  7. Observe that, despite going back in the browsing history, the script continues to execute in the background.
  8. Notice that an automatic download of an executable file initiates from 'http://pub.agrarix.net'.
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Duplicate of bug: 741050
Resolution: --- → DUPLICATE
Group: firefox-core-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: