-
-
Notifications
You must be signed in to change notification settings - Fork 34
Vulnerability: Unprotected external links
The following vulnerability has been reported by @rugk on 2018-03-23 and was fixed in EteSync-Web v0.3.1.
It basically allows "remote code execution" (or, to be exact, DOM access, which however has the same impact in the JavaScript world) from two special actors, if users clicked a link on the EteSync page. The full report is shown below.
You include target="_blank" links to open in a new tab in the website. Now, this thing has a problem: The websites it opens, have access to the DOM of the opener website.
For reference/more explanation see:
- https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/
- demo: (and fix): https://mathiasbynens.github.io/rel-noopener/
I only looked at the login page, but that is already enough. The links go to:
- github.com
- and etesync.com
Thus both these actors – if malicious – could intercept the encryption password. (and maybe other stuff on the website, basically everything in the DOM)
Note that Firefox also does not need noreferrer anymore for the fix, so this should be sufficient: [… original link removed, fix can be seen in #14) …]
Timeline:
Sent: 2018-03-23
Confirmed: 2018-03-23
Fixed: 2018-03-23