Bug 96559
| Summary: | Web Inspector: information leak in JS console | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Thaddee Tyl <thaddee.tyl> |
| Component: | Web Inspector (Deprecated) | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED INVALID | ||
| Severity: | Major | CC: | apavlov, bweinstein, caseq, joepeck, keishi, loislo, paulirish, pfeldman, pmuellr, rik, timothy, yurys |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | All | ||
| OS: | All | ||
Thaddee Tyl
How to reproduce:
1. Go to the following URL: data:text/html,<!doctype><title></title><script>window.eval = function (e) { console.log('sending ' + e + ' to a malicious website!'); };</script>
2. Open the JS console.
3. Enter something.
What happens:
The JS console is, in this case, rendered useless because it outputs
sending with ((window && window.console && window.console._commandLineAPI) || {}) {
something
} to a malicious website!
With more malicious use of this issue, it could cause information leak from all developers on the website.
What should happen:
The JS console should execute the JS code entered in the console.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Pavel Feldman
1) we no longer use window's eval for it. See newer Canary / nightly
2) even when we did I don't see how that could be exploited
Thaddee Tyl
Outstanding!