Bug 96559 - Web Inspector: information leak in JS console
Summary: Web Inspector: information leak in JS console
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: Web Inspector (Deprecated) (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Major
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-12 14:17 PDT by Thaddee Tyl
Modified: 2012-09-13 00:51 PDT (History)
12 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thaddee Tyl 2012-09-12 14:17:20 PDT 
How to reproduce:

1. Go to the following URL: data:text/html,<!doctype><title></title><script>window.eval = function (e) { console.log('sending ' + e + ' to a malicious website!'); };</script>
2. Open the JS console.
3. Enter something.

What happens:
The JS console is, in this case, rendered useless because it outputs

    sending with ((window && window.console && window.console._commandLineAPI) || {}) {
    something
    } to a malicious website!

With more malicious use of this issue, it could cause information leak from all developers on the website.

What should happen:
The JS console should execute the JS code entered in the console.
Comment 1 Pavel Feldman 2012-09-12 23:59:26 PDT 
1) we no longer use window's eval for it. See newer Canary / nightly
2) even when we did I don't see how that could be exploited
Comment 2 Thaddee Tyl 2012-09-13 00:51:49 PDT 
Outstanding!