Pageviews

Wednesday, 7 February 2018

SOP Bypass using rel="noreferrer"

Hi Internet,

A bug that affects "Million people" this bug was marked as DUPLICATE and RESOLVED by Mozilla team but it was a good finding and learning for us (Robin Divino and Me) hope you enjoy the read.

Summary:

By default, any websites is passing the whole URL to any external domain (un-trusted third party domains) when the request was crossing between 2 domains, means if the user clicks an external link to a specific website, the whole URL will pass to the request header as part of a what we called Referer header.

But many of the websites URL parameters value contains sensitive user information/data such as Password reset token, OAuth token, Email address and many more, therefor website owners use a what we called rel attribute on the html code with the value of noreferrer to avoid leaking sensitive data to external domains.

However, we have found that the Firefox quantum seems ignoring the rel="noreferrer" attribute of an <a> tag which will put quantum users in risk.

For example:

HackerOne application (http://hackerone.com/) is strict when it comes to information sharing , because they do not allow anyone from third party domains to have access to hackerone users informations, because of that hackerone footer twitter external link contains the following code:

<a class="footer-nav-item-link icon-share-twitter" href="https://twitter.com/hacker0x01" target="_blank" rel="noreferrer noopener"></a>

When we click on the external twitter link and capture the request, the request header still contains referrer header that contains the full URL.

Steps To Reproduce:

1. Find any website page that contains external link (e.g twitter, facebook, etc.) most of the external link will be found on the footer as part  of their social link ads.

2. Make sure that the external link you found have a rel="noreferrer" attribute on its <a> tag or similar to what i have mentioned above in case of hackerone footer.

3. Click the external link and capture the request using burpsuite.

4. Observed the request header still have referer header despite the website owner put a rel="noreferrer" on their <a> tag that contains hyper-link to external domains.



Impact:

Massive information leakage of FF users without their knowledge :(


Regards
Dhiraj

2 comments: