Closed Bug 692060 Opened 8 years ago Closed 8 years ago

universal xss via linux middle click with javascript:


(Firefox :: Security, defect)

Not set





(Reporter: albinowax, Unassigned)


(Whiteboard: [sg:dupe 674161])

On *nix systems, middle clicking in open space with a uri in the clipboard loads it. If the uri is javascript:// it is executed in the context of the current page. By placing a suitable javascript payload on the user's clipboard and contriving to get them to middle click on a different page, that page is XSS'd.

The best/worst I could come up with was getting the user to middle click on the about:addons page which gives the attacker the ability to arbitrarily alter about:config settings, force-install addons (I think) and other Bad things. There are plenty of other potential candidates.

The attack has two steps; getting the payload onto the users clipboard, and getting the middle-click on the target page. Some (many?) *nix systems automatically copy highlighted data onto the clipboard. Otherwise one would have to resort to using Flash or persuading the user. I'm not aware of any way to force a middle click on a particular page so I merely propose asking the user nicely.

I just guessed the severity and scope of this so they probably need fixing.

Tested with:

javascript:Components.classes[";1"].getService(Components.interfaces.nsIPrefBranch).setBoolPref("security.csp.enable", 0);

Finally, I hereby name this the 'Middle-Click Of Death' ;)
Does anyone know *why* a middle click at a random spot in the page navigates to that URL? I understand that middle-click is supposed to paste, but I never understood or liked the navigation feature.

In any case, I fully agree that we ought to apply the "unsafe link protection" to this case. cc'ing the relevant people from bug 656433.

Moderate because you'd have to combine this with other attacks (unrestricted clipboard writing) in order to do anything directly.
Ever confirmed: true
Whiteboard: [sg:moderate]
Middle-click to navigate is an old feature that's been around forever.

Adding the location bar protections (don't inherit principal) is already on file as bug 674161. I thought there was an existing bug on the chrome-privileged page variant, but I don't know it offhand.
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 674161
Group: core-security
Whiteboard: [sg:moderate] → [sg:dupe 674161]
You need to log in before you can comment on or make changes to this bug.