onerror onload events leak user information
Reported by
davidbar...@gmail.com,
Apr 23 2017
|
||
Issue descriptionPRIVACY ISSUE The onload and onerror events can be used to leak information from the user. For instance, it could be used to assert whether the user is logged in on some websites. If the website have an URL that sends a different HTTP code depending on whether the user is logged in or not, those events can be used to leak that information. Those events can be used also to leak information about a local WebServer running on the user computer. VERSION: Chrome Version: 58.0.3029.81 stable Operating System: Windows 7 Home Premium Service Pack 1 REPRODUCTION STEPS Assert whether the user is logged in on YouTube: <link rel="stylesheet" type="text/css" href="https://www.youtube.com/feed_ajax?spf=load" onload="alert('Logged')" onerror="alert('Not logged')"> Assert whether the user have a WebServer running on his computer: <link rel="stylesheet" type="text/css" href="http://localhost/" onload="alert('running')" onerror="alert('not running')"> Assert whether the user have a specific software running on his WebServer: <link rel="stylesheet" type="text/css" href="http://localhost/phpMyAdmin/" onload="alert('running')" onerror="alert('not running')">
,
Oct 23
Yes, onload and onerror are apis that leak cross-origin information. To prevent leaking login state, websites can use SameSite cookies. Sadly this is a really old problem and it can't be fixed without breaking half the internet. |
||
►
Sign in to add a comment |
||
Comment 1 by bugdroid1@chromium.org
, Apr 24 2017