Steemit target _blank vulnerability inspection

in #security7 years ago (edited)

logo security.png

Example of exploit of the "target _blank" vulnerability
code snippet.png

The vulnerability in this case is not exploited because steemit does not open by default the above link (and links in general) in a new tab.

Steemit though uses target _blank for many other links on their platform. That means that if any of those third party websites are compromised a phishing attack could be performed on the steemit webpage.

Feel free to download the script and try it locally simply changing the links to use a local path like "file:///C:/Users/your-username/Documents/test.html" and redirect to a fake login page like this:
fake login page smaller.png

See my previous bug report for details on this potential bug and common solutions: https://steemit.com/steemit-issues/@gaottantacinque/steemit-minor-bugs-reporting

UPDATE:

Internet is a safe place!! (..not)


The attack does not work on Steemit. I tested it on all major browsers changing on client site the links that use target _blank to point to the page that redirects the original tab to a phishing page. The original tab (Steemit) was not redirected thanks to their use of noreferrer noopener in the links that use target _blank.

The problem though is that it works like a charm on all major social media platforms!
Posting something like the link above ( eg. https://mycatnamedweb.github.io/ ) as a facebook comment or post, the new opened tab is easily able to redirect the original tab into a phishing page.

Affected browsers and social media platforms:

  • Chrome: Linkedin
  • Edge: Facebook, Linkedin, Twitter (warning displayed for the latter)
  • Firefox: Facebook, Linkedin
  • Opera: Facebook, Linkdein
  • Safari: Facebook, Linkedin, Twitter (warning displayed for the latter)
  • ...

                                                        monkey selfie.jpg

Sort:  

Your post was resteem, thank you for dropping by on my "Free Resteem Service", dont forget follow me as sign of your support

Sonner this theme gonna live "GREAT THINGS ARE DONE BY A SERIES OF SMALL THINGS BROUGHT TOGETHER"

I am happy serving you all...

This is not XSS.

Also, Steemit already does this. SanitizeConfig.js, line 180.

            if (!href.match(/^(\/(?!\/)|https:\/\/steemit.com)/)) {
                // attys.target = '_blank' // pending iframe impl https://mathiasbynens.github.io/rel-noopener/
                attys.rel = highQualityPost ? 'noopener' : 'nofollow noopener';
                attys.title = getExternalLinkWarningMessage();
            }

The attack doesn't work for me (I'm running Firefox).

It's not an XSS attack per se but if one of the trusted sites, A, has been compromised by an XSS attack, with the ability to inject a script then this attack can be leveraged to also compromise the access credentials to site B (steemit in this case) by redirecting the login attempt on site B to a malicious imitation of site B's login page.

AFAIK nofollow and noopener don't fix the issue on Safari and other old versions of popular browsers.

Congratulations @gaottantacinque! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of comments received

Click on any badge to view your Board of Honor.

To support your work, I also upvoted your post!
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

Do not miss the last announcement from @steemitboard!

Do you like SteemitBoard's project? Vote for its witness and get one more award!

Your post was resteemed✅by @valentin86
image (1).png
Thank you for using my service
Best wishes🙋

Your Post Has Been resteemed on @sam-resteem

resteem your steemit post using sam-resteem platform
--how it works:--
post your steemit URL post following this link below
https://steemit.com/resteem/@sam-resteem/resteem-your-content

Thanks for using sam-resteem platform
Follow @sam-resteem