Closed Bug 873769 Opened 12 years ago Closed 12 years ago

XSS about:home localStorage

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: curtisk, Unassigned)

References

Details

copy of https://bugzilla.mozilla.org/show_bug.cgi?id=789348#c38 This should have been reported as a sec bug and not as a public comment in a public bug XSS on about:home using localStorage Injection. This is not remotely exploitable but I figured I'd submit it anyway as it could be used to compromise Firefox on a public or shared computer. FF is storing the HTML for snippets in localStorage. An attacker could open FF to about:home and quickly make/execute a bookmarklet: javascript:window.localStorage.setItem('snippets','<iframe src="https://www.whitehatsec.com" onload="prompt()" style="width:100%;height:100%;z-index:9999999;position:absolute;left:0px;top:0px;"/>'); This could be expanded further to use a sandboxed iframe to cause the victim to browse the web inside the iframe while keeping them on about:home page that has been compromised. The attacker can then close the browser completely and the about:home page will remain compromised each time a user opens firefox Zach Jones WhiteHat Security
An attacker with local access to the machine could also just install an extension that does much worse, so I don't think there's any reason to keep this hidden, and I suspect this is WONTFIX.
Group: firefox-core-security, core-security
Or perhaps related to bug 371923 (related to the general problem of tricking users into creating bookmarklets).
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.