lyra.horse is a website used for hosting personal projects from https://x.com/rebane2001/ such as antonymph and blog.
One of the tools originally shown at the XS-Leaks event 2024, Organized by Meta is XS Frame Counter that does frame counting for XS-Leaks except when COOP stops it.
Unfortunately the untrusted URL from <input> was directly used in a call to window.open :(
function start(url) {
windowClosed = false;
startTime = Date.now();
frameRefs.length = 0;
activeFrames.length = 0;
frameCount = 0;
currentFrame = 0;
log(`Loading ${url}...`);
currentWindow = window.open(url, 'xspanel', 'popup');
currentWindow.onload = () => {
log(`Loaded at ${Date.now() - startTime}...`);
};
}
This means by social engineering the victim to click anywhere on the attacker page,
onclick = () => {
navigator.clipboard.writeText('javascript:alert(1337)');
};
Then clicking to focus the hidden iframes <input> element and doing ctrl v (to paste the payload),
…Now just trick the victim into doing one more click on the hidden go button to get XSS.
This was fixed in https://github.com/rebane2001/lyra.horse/commit/368bc771a9f61ca2ed4001878b8c93d190a589c9 by adding a whitelist… I mean allowlist for the http: and https: protocol. Importantly they added a duck emoji to ensure it won’t happen again.
At first glance it may appear that this site is static, you wouldn’t be able to do much with the self XSS anyways however as mentioned above this website also includes a service called antonymph that requests MIDI permission and to open unlimited popups, which can be abused by attackers.
While having this writeup could be pointless in terms of impact and unlikely user interaction, it does not require a compromised renderer and promotes xs-leaks.