New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Closed: Sep 2016

Sign in to add a comment

Issue 890: Dashlane: universal XSS in doOnboardingSiteStep API

Reported by, Aug 11 2016 Project Member

Issue description

Browsing through the dashlane javascript API, doOnboardingSiteStep uses the regex /:\/\/(.[^\/]+)/ to validate the site parameter, but that also matches javascript:alert(1)//://whatever.

This results in a universal XSS, allowing any site to XSS any other site - and therefore access cookies and user data, steal passwords and credentials for any website, etc, etc. Something like this should work:

dashlaneAPI.init({});''); // must be in a click event handler to disable popup blocker - can be any site,
                                        communicationObject) {
 communicationObject.callAPI('getUserOnboardingSites', null, function () {});
 communicationObject.callAPI('doOnboardingSiteStep', {
     site: 'javascript:alert(1);//://'
 }, function () {});

I'm going to list this as critical severity even though it's not a remote code execution, because the sole intent of the product is to protect website passwords and this effectively allows you to steal all password.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Comment 1 by, Aug 11 2016

Project Member
Here's an ugly demo, it's probably not reliable due to timing. You need the dashlane javascript api file, I just copied the minified version from
984 bytes View Download

Comment 2 Deleted

Comment 3 Deleted

Comment 4 by, Aug 11 2016

Project Member
I looked at their fix, they now do:

var b =^https?:\/\/([.-a-z0-9_^/]+)/i);

which seems good to me.

Comment 5 Deleted

Comment 6 by, Sep 6 2016

Project Member
Labels: -Restrict-View-Commit -Severity-High Severity-HIgh
Status: Fixed (was: New)
The fixes are live now, it took so long because Apple review all updates to the appstore.

Sign in to add a comment