Skip to content

Websites can feed Tridactyl fake key events

High
bovine3dom published GHSA-7qr7-93pf-hr8f Jul 2, 2019 · 1 comment

Package

Tridactyl (Firefox add-on)

Affected versions

1.14.0 <= v <= 1.14.10, 1.15.0

Patched versions

1.14.12+, 1.16.0+

Description

Impact

Malicious websites could feed keys to Tridactyl which it would execute as if a user had pressed them, outside of the command line. If the native messenger was installed, an attacker could execute arbitrary programs by sending the string mpv <data URI here> to the user's shell. See this gist for a third-party example of how it could have been exploited.

We believe that the vulnerability was not known by any bad actors.

All Tridactyl versions released between September 2018 and June 14th 2019 were affected, i.e. 1.14.0 <= v <= 1.14.10 and 1.15.0.

Patches

The majority of our users already have the patch - you can check easily on the new tab or with :version. Update to 1.14.12+ (for Firefox ESR) or 1.16.0+ by going to about:addons in Firefox, clicking the cog in the top right, and then clicking "Update". Once Tridactyl has downloaded you'll need to restart Firefox. It will look as if the progress bar is stuck - just restart.

Workarounds

Remove the native messenger - check the output of :! pwd and then delete that directory.

References

bovine3dom's writeup
The GitHub issue
The patch that fixed it

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

CVE-2019-1020004

Weaknesses

No CWEs

Credits