Closed Bug 1872533 Opened 1 year ago Closed 1 year ago

window.history.state can be accessed by a cross-origin URL, allowing tracking of total browsing history

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Version:
Firefox 121
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1315203

People

(Reporter: threatlab.indonesia, Unassigned)

Details

Attachments

(2 files)

tester.html
963 bytes, text/html
Details
savedata.php
1018 bytes, application/octet-stream
Details
Attached file tester.html

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Firefox for Android

Steps to reproduce:

VULNERABILITY DETAILS
The window.history.state property stores information about the current state of the tab, including the URL, title, and window size. If an attacker can access this property, they can track a user's total browsing history.
In my POC you can see that maybe Firefox has taken precautions for several functions so that attackers don't get any URL information that has been accessed in one tab that has been overwritten by the attacker's URL, but it seems that Firefox hasn't patched the total history that has been taken.

Recommended fix:

The window.history.state property must be made inaccessible to cross-origin URLs. This can be done by using sandboxes or other security mechanisms to limit access to the property.

REPRODUCTION CASE:

  1. Make sure there are other domains in the tab or you can try creating a new tab, alternately opening amazon.com, google.com, and apple.com.
  2. then open https://bug.omapip.my.id/tester.html
  3. click the button
  4. the result will save on https://bug.omapip.my.id/result.txt

Because the video size is too large to exceed Firefox requirements, so please access the video on my gdrive below for POC:

https://drive.google.com/file/d/1mOvrj_LOFOT0xdviPrwAJH369ZmT3TkS/view?usp=sharing

Actual results:

window.history.state can be accessed by a cross-origin URL, allowing tracking of total browsing history

Expected results:

The window.history.state property must be made inaccessible to cross-origin URLs. This can be done by using sandboxes or other security mechanisms to limit access to the property.

Attached file savedata.php
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM: Navigation
Product: Firefox → Core

This is a known issue with the specs (or a constellation of known issues, really).

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1315203
Resolution: --- → DUPLICATE
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: