Firefox knows what your friends did last summer


Mozilla have now fixed the problem on Thursday. Not only did they take down the original release but fixed it very quickly within two days which is very impressive. Good work!

I was writing some JavaScript and found that the following happens:


The undefined value is converted to a string and then the test returns true. It surprised me but wasn’t totally unexpected but then I thought if a string conversion is being done inside the native function then perhaps we can abuse that? Oh yes we can πŸ™‚ I thought how about we apply this to a x-domain protected object. E.g. location of an external iframe. /businessinfo\.co\.uk/.test(document.getElementById(‘x’).contentWindow.location) worked! But wait if a test works then so could exec and we can get the location from a x-domain. /(.+)/.exec(loc); also works since the x-domain object is being converted to a string in the exec function too.

First thing I thought was I can use twitter to identify the user πŸ™‚ but how? /home doesn’t return a unique url, I was searching through twitter to see what urls redirected to a unique url when I found /lists which redirects to πŸ™‚ perfect.

Here’s how the PoC works. You need to be signed into twitter using https. The PoC then opens a new window to the /lists url on twitter. Waits 5 seconds, then calls a regex on the x-domain object to reveal the twitter username.

function poc() {
var win ='', 'newWin', 'width=200,height=200');
alert('Hello '+/^https:\/\/\/([^/]+)/.exec(win.location)[1])
}, 5000);


There you have it Firefox is a little to lax with the location object.

13 Responses to “Firefox knows what your friends did last summer”

  1. Gareth Heyes writes:

    It appears alert(document.getElementById(‘x’).contentWindow.location) works too. It seems that it’s unrelated to the string conversion and that Firefox is in fact leaking location anyway.

  2. Pausl Stone writes:

    In Firefox 15.0.1, I get this error in the console when I run your PoC:

    Error: Permission denied for to call method Location.toString

    Which is what you’d normally expect when accessing window.location cross-domain. What version of FF did you test this in?

  3. Gareth Heyes writes:

    Firefox 16.0

  4. Paul Stone writes:

    Yeah, I updated to 16 and your PoC – so it’s a recent regression. However just doing alert(win.location) also works, so it looks like the funky regex stuff isn’t actually needed.

  5. Gareth Heyes writes:

    Yeah I realised that after the blog post πŸ™‚ but that was my thinking to how I discovered it.

  6. insertScript writes:

    Nice one πŸ˜‰

  7. Wess writes:

    Why did you disclose this before Mozilla was able to fix this?

  8. antisnatchor writes:

    LOL @Wess πŸ˜€
    As always, nice one Gareth!

  9. Gian-Carlo Pascutto writes:

    >Why did you disclose this before Mozilla was able to fix this?

    He missed out on a 3000 USD bug bounty by doing so. (Maybe the publicity was worth it, I don’t know)

  10. Gareth Heyes writes:


    I think Mozilla taking FF16 down is reward enough. Publicity LOL. 3K LOL.

  11. justin writes:

    >Why did you disclose this before Mozilla was able to fix this?

    >I think Mozilla taking FF16 down is reward enough. Publicity LOL. 3K LOL.

    GG OP. πŸ™‚

  12. johnnymous writes:

    getting a bug bounty is unrelated to disclosure. you can submit it to mozilla *and* do a blog post to get the bug bounty πŸ™‚ they don’t buy your silence. they only buy your bug.

  13. Gareth Heyes writes:

    LOL I’ve exploited you all mentally. You cannot understand why I didn’t take the cash. You then say it’s for publicity LOL because it hurts your logic circuits. Listen I love bugs, so did everyone else now most of you love your bounty.