564690 - Information leak in security exception allows user tracking, phishing

Status: RESOLVED DUPLICATE of bug 549459

(Core :: Security, defect)

Description

[Paul Stone]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3
Build Identifier: 

When a script tries to access a property on a frame or window on another domain, an exception like the following is thrown:

Error: Permission denied for <http://www.foo.com> to get property Window.x from <http://bar.com>. 

This error leaks the domain of the page that is currently loaded in the window. A malicious web page may use window.open to open new tabs when a user clicks on links, and then track the user as they visit different websites in the tab (provided the user doesn't close the tab with the malicious page).

The malicious page can then set window.location on the opened tab to load fake versions of particular sites that the user visits. For example, if the user visits mybank.com, the malicious page could immediately redirect the user to mybank.com.index.htm.badguy.com. The user may be less likely to notice this if they typed the URL or clicked a bookmark.

There is a demo of this behaviour at http://dev.jigawatt.co.uk/dev/domainleak/. Tabs opened by clicking on the links will be tracked. If you visit mail.google.com, you will be redirected to a fake version. If the popup blocker is disabled for that domain, then tabs opened with Ctrl+T and by middle clicking on links will also be tracked.  

Reproducible: Always

Comment 1

[Paul Stone]

This is similar to bug 469939, but in this case the attacker can wait and see what domains the user visits and then hijack user initiated page loads.