New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UXSS inside Vimium vomnibar feature #3832
Comments
|
In short - vulnerable lines are: vimium/background_scripts/main.js Line 37 in bdf654a
*The second vulnerable line is actually the one that gets executeScript message from the background-script and executing this JS in the incorrect frame:
Btw, the start inside of the background context is where it calls the openurlInTab (for javascript: scheme) |
|
@philc please help mitigate this, thanks |
|
The secret is not exposed to website pages, and this |
|
Hi, I can place as many event listeners I want as one can embed in a iframe the vomnibar page on purpose for as long as he wants and then retry to find the corrent number till its there. (Also in background without user notice at all) Aka do this: |
|
Also the secret stays the same as long as the browser is on so it gives an attacker alot of time and oportunity to find this secret (as users tend to keep their browsers open, and even if no internet con is available it would work as the extension is locally hosted and attacker just easily broteforce this one) |
Oh yes, you're right. |
|
Hi I would love to work on it with you guys, It should not be too much work, just one line change @gdh1995 |
Describe the bug
Attacker can use vimium omnibar feature to execute arbitrary JS code over any site.
This can be caused by combination of low entropy PRNG used as vimium "secretToken" as well as invalid messages sent between different content-scripts in page.
Full Technical Description:
https://docs.google.com/document/d/1BdsJ3IRV05dodVfgWHLDRgM1FTkgswiMPxGHl_ufNho/edit
Bug Video:
https://youtu.be/bklyYCtECF0
To Reproduce
Steps to reproduce the behaviour:
https://github.com/barakolo/VimiumUXSS
To do that -
** open Chrome DevTools, and change the Javascript context to “Vimium extension” (Under the Console tab -> click on the arrow sign below it).
b. Now Run this line of code (we are now running it in zotero content-scripts context):
chrome.storage.local.get('vimiumSecret', e=>console.log(e['vimiumSecret']))
c. Save this code aside (this is a small number with a max 10-digits which is being used across all sites).
python2 -m SimpleHTTPServer 8080
Browser and Vimium version
Vimium Version: 1.66 (March 2, 2020)
Chrome version: 91.0.4472.77
OS version: Windows 10 Home 19042.985
The text was updated successfully, but these errors were encountered: