New issue
Advanced search Search tips

Issue 657380 link

Starred by 5 users
Status: Archived
Owner: ----
Closed: Aug 21
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug



Sign in to add a comment

Security: Javascript URLs in bookmarks are powerful

Reported by suhas0...@gmail.com, Oct 19 2016 
VULNERABILITY DETAILS
XSS because of Google Chrome Bookmark manager  

VERSION
Chrome Version: 54.0.2840.59 m (64-bit)
Operating System: Windows 7, 64-bit 

REPRODUCTION CASE
1. Open Google Chrome browser and Go to Menu -> Bookmarks -> Show bookmarks bar (Ctrl + Shift + B)
2. Right Click on bookmarks bar and click Add page 
3. Enter Name as "BookMarkTest" and URL as "javascript:alert(document.domain)"
4. Now open https://google.com in one of Google Chrome tab and click BookMarkTest, XSS will get executed. (Refer attached screenshots)

OWASP: https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

Let me know if you need more details. Thank you.
BookMark.JPG
62.2 KB View Download
BookMark_XSS.JPG
60.7 KB View Download

Comment 1 by elawrence@chromium.org, Oct 19 2016

Components: UI>Browser>Bookmarks
Generally speaking, this is "Working as Intended" insofar as Chrome deliberately supports Bookmarklets (see https://en.wikipedia.org/wiki/Bookmarklet).

There's a broader question as to whether or not this is a "misfeature" in that it exposes a non-trivial attack surface in exchange for a "power-user" feature.

The more compelling repro case is where a page has a JavaScript:-protocol anchor tag and the user is tricked into drag/dropping that URL to the bookmarks bar; the user never sees "javascript:" anywhere. In contrast, IE shows a warning dialog in this scenario:

[Window Title]
Internet Explorer

[Main Instruction]
Do you want to add this bookmarklet?

[Content]
Bookmarklets run script and can send information to sites on the Internet. Only add bookmarklets from websites you trust.

[Yes] [No]

Comment 2 by mbarbe...@chromium.org, Oct 19 2016

Components: Security
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug

Comment 3 by dominickn@chromium.org, Nov 27 2016 

 Issue 668797  has been merged into this issue.

Comment 4 Deleted

Comment 5 by mmoroz@chromium.org, Jan 9 2017 

 Issue 679267  has been merged into this issue.

Comment 6 by elawrence@chromium.org, Jan 9 2017

Status: Untriaged (was: Unconfirmed)

Comment 7 by jialiul@chromium.org, Mar 25 2017 

 Issue 705202  has been merged into this issue.

Comment 8 by elawrence@chromium.org, Apr 24 2017 

 Issue 714429  has been merged into this issue.

Comment 9 by elawrence@chromium.org, May 28 2017 

 Issue 727074  has been merged into this issue.

Comment 10 by elawrence@chromium.org, May 28 2017

Summary: Security: Javascript URLs in bookmarks are powerful (was: Security: XSS in Bookmark manager)

Comment 11 by robliao@chromium.org, Aug 21

Status: Archived (was: Untriaged)
Archiving old bugs that haven't been actively assigned in over a year.

If you feel this issue should still be addressed, feel free to reopen it or to file a new issue. Thanks!

Sign in to add a comment