249747 - "Bookmark This Link" can bookmark a javascript: URL with a http: URL shown in the status bar

Status: RESOLVED WONTFIX

(Firefox :: Bookmarks & History, defect)

Description

[Daniel Wang]

Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a2) Gecko/20040702

dupe of bug 40068, but I'd rather not risk exposing a potential security risk

The mouseup event is fired first when the user click Bookmark This Link item on
the context menu, and the event handler had time to change the link URL so that
the bookmarked URL is not what it seems.

Test code:

<a href="http://www.google.com"
onmouseup="this.href='javascript:alert(window.getSelection());';"
onclick="this.href='http://www.google.com';"
>Bookmark phishing</a>.

If the user right-click and choose Bookmark This Link,
  "javascript:alert(window.getSelection());"
is bookmarked. Otherwise, the link look and behaves just like a regular
google.com link.

(btw, someone please lock up bug 249745 (see change history) )

Comment 1

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

*** Bug 249745 has been marked as a duplicate of this bug. ***

Comment 2

[Daniel Wang]

interesting. MSIE has a similar vulnerability (posted to Full Dislosure on 12th)
http://www.securityfocus.com/archive/1/368652
http://www.malware.com/paul.html

Comment 3

[Jesse Ruderman]

I've known about issues like this one, but I assumed we couldn't do anything
about them.

Daniel: I don't see the similarity between this bug and any part of that IE
exploit.  The history of the autodrag part of that exploit suggests that this
bug will be impossible to fix, though.

Comment 4

[Jesse Ruderman]

The problem isn't the firing of the mouseup event.  A malicious site could do
the same thing, almost as effectively, with setTimeout.

A cleverly written bookmarklet could somewhere (e.g. the spoofed http: URL) in
addition to stealing cookies, passwords, etc.

Possible fixes:

1. Store the link URL while opening the context menu instead of grabbing it
later.  (This would be a good time to call CheckLoadURI, too.)  Also take over
the status bar to display this URL regardless of what happens on the page while
the context menu is visible (e.g. the link changing destination, the link
disappearing, a script setting window.status).  This would help improve my
sanity with respect to the "Save Link As..." menu item, which is not visible if
the link is a javascript: link when the context menu is opened.

2. Show the URL in the dialog that appears when you select "Bookmark this link",
so that advanced users have another chance to notice the "javascript:" protocol.
I think it's strange that this dialog doesn't show the URL being bookmarked.

3. In the dialog that appears when you select "Bookmark this link", include a
warning that javascript: URLs are somewhat dangerous.

Similar issues come up with dragging links to bookmarks or to the bookmark
toolbar, and even when bookmarking the current page (javascript: URLs can be
pages).  These ways of adding bookmarks maay require different protection UI and
mechanisms.

See also bug 28387, a WONTFIXed bug for a warning when adding a javascript:
bookmark.

Comment 5

[Jesse Ruderman]

I am working on a patch that does part of (1) in bug 303181.

Comment 6

[:Gavin Sharp [email: gavin@gavinsharp.com]]

Attachment: testcase

Comment 8

[Jesse Ruderman]

I don't think we can fix this as stated.  The problem is that these URLs are dangerous to bookmark, and we're not going to solve that by making the URLs more visible.  Bug 371923 could work, but we really should separate user script buttons from bookmarks.  See also bug 476505.