Bug 31270 - Social Engineering Issue with "javascript:" URLs
Summary: Social Engineering Issue with "javascript:" URLs
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore JavaScript (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL: http://www.facebook.com/group.php?gid...
Keywords: InRadar
Depends on:
Reported: 2009-11-09 12:54 PST by Nathan Hammond
Modified: 2009-11-09 14:08 PST (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Nathan Hammond 2009-11-09 12:54:45 PST
This vulnerability is with regards to how easy it is to create a XSS + worm + phishing attack without necessarily triggering a non-technical user's security alarm. This could become a common attack vector at any point in time.

1. Create a Facebook group, 'Get $25 from $BANK'. (This works for any social networking site.)
2. Provide simple, easy-to-follow directions that will walk the person through using a "javascript:" URL, causing the user to create their own XSS hole in the social networking web application.
3. Use your new access to help promote the group in a worm-style manner, in a TRUSTED ENVIRONMENT: "Your friend Joe Smith has invited you to join the group, 'Get $25 from $BANK'."

Non-malicious examples of 1-3 in the wild:
-> http://www.facebook.com/group.php?gid=170096529644&v=info
-> javascript:var numfriends=document.getElementById('friends').getElementsByTagName('li').length;fs.click(document.getElementById('friends').getElementsByTagName('a')[1].parentNode);for(var i=0; i < numfriends; i++){fs.click(document.getElementById('friends').getElementsByTagName('a')[i].parentNode);}

4. Add a script loader into the "javascript:" URL. Any will do.
-> http://www.nczonline.net/blog/2009/07/28/the-best-way-to-load-external-javascript/

5. Use the script loader to load http://www.example.com/maliciousscript.js which mutates the DOM (blows everything away)--without making a page request--and turns it into a phishing site.


6. Note that the URL still displays the "javascript:" URL. This effectively masks the site that the user is presently on (facebook.com, controlled by example.com/maliciousscript.js). With properly written instructions on the Facebook group the user will implicitly believe that they are on the actual $BANK site in spite of the "javascript:" URL being displayed in the location bar, *because they specifically pasted it there to create the action.*


7. Steal usernames and passwords from thousands of people. Profit.
Comment 1 Nathan Hammond 2009-11-09 13:06:03 PST
I've reported this issue to Mozilla as well, bug 527530.
Comment 2 Adam Barth 2009-11-09 13:48:03 PST
Can you say concretely what change you'd like us to make?

Also, can you CC abarth-mozilla@adambarth.com to the Mozilla bug so we can coordinate our response?  Thanks.
Comment 3 Adam Barth 2009-11-09 13:49:23 PST
Nevermind, I see that Mozilla has made this issue public.  I'm doing the same here.
Comment 4 Nathan Hammond 2009-11-09 13:53:36 PST
The change I am suggesting:

Immediately after execution of a "javascript:" URL, return the location bar to its prior state.

This would prevent the phishing site from hiding behind the "javascript:" URL.
Comment 5 Adam Barth 2009-11-09 13:56:49 PST
I'm sorry, but that's not a bug in WebKit.  The embedder (Safari) controls whether to reset the location bar.  For example, Chrome uses WebKit and does reset the location bar.  You should file a bug here:

Comment 6 Nathan Hammond 2009-11-09 13:59:56 PST
Okay, thanks!
Comment 7 Nathan Hammond 2009-11-09 14:08:46 PST