You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
First of all, I'm only publicly sharing this because I did not get an answer from multiple attempts to contact you.
Sorry if this causes problems, but i'd like this fixed. At least in V2.
Problem
The URL bar and permission system is vulnerable to domain spoofing. This means that an attacker can perfectly spoof websites and their permissions e.g., to phish users out of some coins.
This happens because "www." is stripped from the domain in an insecure way.
I would say this is the vulnerable code:
mdnplay.dev is a mozilla domain that has wildcard dns, which makes it perfect for showing this.
Just visiting abcwww.mdnplay.dev will show abcmdnplay.dev in the browser URL bar.
This appears to impact the permission system as well, so if abcmdnplay.dev had any permissions, this other site now has the same permissions.
If an attacker wanted to spoof example.org, they would simply buy xample.org and host the code on ewww.xample.org
Now, with another phishing domain or technique, the attacker could lure the victim to that site and ask for a payment or whatever.
Severity
I do not think this is critical, but it is definitely breaking one of the core promises of the app: secure browsing.
Even if this is a legacy app and V2 is around the corner, this still deserves a patch in my opinion.
This makes phishing attempt much more likely to succeed.
First of all, I'm only publicly sharing this because I did not get an answer from multiple attempts to contact you.
Sorry if this causes problems, but i'd like this fixed. At least in V2.
Problem
The URL bar and permission system is vulnerable to domain spoofing. This means that an attacker can perfectly spoof websites and their permissions e.g., to phish users out of some coins.
This happens because "www." is stripped from the domain in an insecure way.
I would say this is the vulnerable code:
status-mobile/src/utils/url.cljs
Line 19 in 42d2690
Proof of Concept
mdnplay.dev is a mozilla domain that has wildcard dns, which makes it perfect for showing this.
Just visiting abcwww.mdnplay.dev will show abcmdnplay.dev in the browser URL bar.
This appears to impact the permission system as well, so if abcmdnplay.dev had any permissions, this other site now has the same permissions.
If an attacker wanted to spoof example.org, they would simply buy xample.org and host the code on ewww.xample.org
Now, with another phishing domain or technique, the attacker could lure the victim to that site and ask for a payment or whatever.
Severity
I do not think this is critical, but it is definitely breaking one of the core promises of the app: secure browsing.
Even if this is a legacy app and V2 is around the corner, this still deserves a patch in my opinion.
This makes phishing attempt much more likely to succeed.
Fix
My preferred fix would be to just remove the code, treat https://www.example.com and https://example.com as different origins, because they are.
The text was updated successfully, but these errors were encountered: