You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a user wants to log into Mozilla VPN, the VPN client will make a request to https://
vpn.mozilla.org/api/v2/vpn/login/windows to obtain an authorization URL. The endpoint
takes a port parameter that will be reflected in a !undefined! element after the user signs into
the web page. It was found that the port parameter can be of arbitrary value. Further, it is
possible to inject the @ sign, so that the request will go to an arbitrary host instead of
localhost. Theoretically, an attacker can give a crafted URL to a victim and once the
victim uses it to log in, their authorization code will be leaked to the attacker’s website.
However, the CSP in place contains a strict img-src directive which prevents
exploitation.
When a user wants to log into Mozilla VPN, the VPN client will make a request to https://
vpn.mozilla.org/api/v2/vpn/login/windows to obtain an authorization URL. The endpoint
takes a port parameter that will be reflected in a !undefined! element after the user signs into
the web page. It was found that the port parameter can be of arbitrary value. Further, it is
possible to inject the @ sign, so that the request will go to an arbitrary host instead of
localhost. Theoretically, an attacker can give a crafted URL to a victim and once the
victim uses it to log in, their authorization code will be leaked to the attacker’s website.
However, the CSP in place contains a strict img-src directive which prevents
exploitation.
┆Issue is synchronized with this Jira Task
The text was updated successfully, but these errors were encountered: