Closed
Bug 564690
Opened 14 years ago
Closed 14 years ago
Information leak in security exception allows user tracking, phishing
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 549459
People
(Reporter: bugzilla, Unassigned)
References
()
Details
(Keywords: privacy, Whiteboard: [sg:dupe 549459])
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 Build Identifier: When a script tries to access a property on a frame or window on another domain, an exception like the following is thrown: Error: Permission denied for <http://www.foo.com> to get property Window.x from <http://bar.com>. This error leaks the domain of the page that is currently loaded in the window. A malicious web page may use window.open to open new tabs when a user clicks on links, and then track the user as they visit different websites in the tab (provided the user doesn't close the tab with the malicious page). The malicious page can then set window.location on the opened tab to load fake versions of particular sites that the user visits. For example, if the user visits mybank.com, the malicious page could immediately redirect the user to mybank.com.index.htm.badguy.com. The user may be less likely to notice this if they typed the URL or clicked a bookmark. There is a demo of this behaviour at http://dev.jigawatt.co.uk/dev/domainleak/. Tabs opened by clicking on the links will be tracked. If you visit mail.google.com, you will be redirected to a fake version. If the popup blocker is disabled for that domain, then tabs opened with Ctrl+T and by middle clicking on links will also be tracked. Reproducible: Always
Reporter | ||
Comment 1•14 years ago
|
||
This is similar to bug 469939, but in this case the attacker can wait and see what domains the user visits and then hijack user initiated page loads.
Reporter | ||
Updated•14 years ago
|
Updated•14 years ago
|
Updated•14 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:low] → [sg:dupe 549459]
Updated•14 years ago
|
blocking2.0: ? → ---
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•