Published 13 years 7 months ago • Last updated March 24, 2025 • ⏱️ 2 min read
Mozilla have now fixed the problem on Thursday. Not only did they take down the original release but fixed it very quickly within two days which is very impressive. Good work!
I was writing some JavaScript and found that the following happens:
/undefined/.test(undefined)//true
The undefined value is converted to a string and then the test returns true. It surprised me but wasn't totally unexpected but then I thought if a string conversion is being done inside the native function then perhaps we can abuse that? Oh yes we can :) I thought how about we apply this to a x-domain protected object. E.g. location of an external iframe. /businessinfo.co.uk/.test(document.getElementById('x').contentWindow.location) worked! But wait if a test works then so could exec and we can get the location from a x-domain. /(.+)/.exec(loc); also works since the x-domain object is being converted to a string in the exec function too.
First thing I thought was I can use twitter to identify the user :) but how? /home doesn't return a unique url, I was searching through twitter to see what urls redirected to a unique url when I found /lists which redirects to twitter.com/uid/lists :) perfect.
Here's how the PoC works. You need to be signed into twitter using https. The PoC then opens a new window to the /lists url on twitter. Waits 5 seconds, then calls a regex on the x-domain object to reveal the twitter username.
function poc() { var win = window.open('https://twitter.com/lists/', 'newWin', 'width=200,height=200'); setTimeout(function(){ alert('Hello '+/^https:\/\/twitter.com\/([^/]+)/.exec(win.location)[1]) }, 5000); }
There you have it Firefox is a little to lax with the location object.