You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
epub.js itself uses an iframe to display the epubs. While it does set the sandbox attribute, it also sets allow-same-origin. This can't be changed by the consumer of the library. A combination of allow-scripts and allow-same-origin renders the sandboxing obsolete (see here).
Users have to open a malicious book.
However, the attacker doesn't have to prepare a book specifically for flow, but can use some fingerprinting to determine in what environment it's running.
Distribution of malicious books could be done via pirate sites or even (online) conversion services, which could inject those malicious scripts.
Because of the nature of flow as a standalone browser app, there aren't many dangerous things an exploit could do. I don't know how the Dropbox authentication works, but maybe stored cookies or tokens inside LocalStorage could be exfiltrated.
This is pure speculation, though, as I don't have a Dropbox account to verify it.
Overall, I wouldn't be too worried. :^)
Some ideas
In an ideal world, scripted content would be turned off. There are, however, limitations with that approach.
The author of foliate sums it up nicely here.
Maybe the user could be given the option to toggle scripted content.
That's it! If something's unclear, please ask away.
Cheers
Frederic
PS: Audio warning for the PoC video.
flow-xss-poc.mp4
The text was updated successfully, but these errors were encountered:
Hey, I've discovered a vulnerability in
flow
. I'm sticking to GitHub's default template for advisories (maybe consider adding aSECURITY.md
):Summary
Opening an ebook with malicious scripts inside leads to script execution inside the current browsing context.
Details
Because of the
epub.js
configuration optionallowScriptedContent = true
, it is possible to execute arbitrary JavaScript code from within an epub file:flow/apps/reader/src/models/reader.ts
Line 366 in 08b7bb1
epub.js
itself uses aniframe
to display the epubs. While it does set thesandbox
attribute, it also setsallow-same-origin
. This can't be changed by the consumer of the library. A combination ofallow-scripts
andallow-same-origin
renders the sandboxing obsolete (see here).The developers of
epub.js
warn about this.PoC
An ebook can be crafted with Calibre to include this bare minimum script:
That's it!
Impact
Users have to open a malicious book.
However, the attacker doesn't have to prepare a book specifically for
flow
, but can use some fingerprinting to determine in what environment it's running.Distribution of malicious books could be done via pirate sites or even (online) conversion services, which could inject those malicious scripts.
Because of the nature of
flow
as a standalone browser app, there aren't many dangerous things an exploit could do. I don't know how theDropbox
authentication works, but maybe stored cookies or tokens insideLocalStorage
could be exfiltrated.This is pure speculation, though, as I don't have a
Dropbox
account to verify it.Overall, I wouldn't be too worried. :^)
Some ideas
In an ideal world, scripted content would be turned off. There are, however, limitations with that approach.
The author of
foliate
sums it up nicely here.Maybe the user could be given the option to toggle scripted content.
That's it! If something's unclear, please ask away.
Cheers
Frederic
PS: Audio warning for the PoC video.
flow-xss-poc.mp4
The text was updated successfully, but these errors were encountered: