Improper parsing of QR codes in address bar leads to XSS
Categories
(Firefox for iOS :: Browser, defect, P1)
Tracking
()
People
(Reporter: nikhil.mittal641, Unassigned)
References
Details
(Keywords: sec-moderate, Whiteboard: [fixed by bug 1588928])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Steps to reproduce:
- Goto URL https://www.the-qrcode-generator.com/
- Click on tab
free text - Paste the following exploit to generate QR code
javascript:fetch('https://www.google.com/').then(res=>res.text()).then(data=>alert(data));
- Open firefox and scan the QR code generated by the website
- You will triage javascript code execution in reference to google.com
Video POC: https://drive.google.com/file/d/1G71vasB7MYSUClXDmsx5gV_dYFnLn1Mt/view
Actual results:
This results in stealing users current cookies and data on the current domain by just scanning the QR
Expected results:
javascript URI's should not be allowed, or some kind of warning message should be displayed.
|
||
Comment 1•5 years ago
|
||
I don't see any cookies in this example. Probably does use the users' cookies so the page data might have personalized stuff (e.g. gmail or your bank).
We should only accept http/https urls from external apps or the QR code scanner
Hi Daniel, You can get the cookies by making QR with the following string javascript:alert(document.cookie)
the above exploit meant to be alert the page source from google.com
This bug also works when the CSP is implemented as well.
Vulnerable-page.php
<?php
header("Content-Security-Policy: default-src 'self'");
if(isset($_GET['xss'])) {
echo $_GET['xss'];
}
?>
String to generate QR
javascript:try{alert(document.domain)}catch(e){alert(e.message)}
Hello, please consider the above provide test cases and evaluate the severity, maybe you want to fix it fast.
|
|
||
Updated•5 years ago
|
Hello folks, is their any updates on the fix?
FYI: The same vulnerability reported to other browser vendors as well, they are planning to release advisory in next month.
|
|
||
Comment 7•5 years ago
|
||
Can you paste in the links or reference numbers to other browser's bugs? I understand they will be private for now but will be helpful later or if we need to contact them about it.
|
|
||
Comment 8•5 years ago
|
||
Garvan: will this be fixed by the "bookmarklet" change you recently landed? If not this is the same kind of thing: we should never accept javascript links from anywhere, except where the webview itself handles it in web content. Shouldn't accept non-http(s) links from QR codes or other external sources.
If this is the same mark it "fixed, depends on" so we can properly evaluate the bounty claim.
|
|
||
Updated•5 years ago
|
Fixed by removing javascript: url support in https://bugzilla.mozilla.org/show_bug.cgi?id=1588928
|
Reporter | |
Comment 10•5 years ago
|
||
Hi Dan, do you still need the request ID from other vendors?
Since this has been fixed can we go ahead and request CVE and bounty for this bug?
|
|
Reporter | |
Comment 11•5 years ago
|
||
Also, a blog post is ready to disclose this bug, let me know if you want to review it before I publish it
|
|
||
Updated•5 years ago
|
|
||
Comment 12•5 years ago
|
||
A member of the security team will be reaching out to you regarding reviewing the blog post, I assume through email.
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 months ago
|
Description
•