Tabnabbing via window.opener [bookwyrm.social] in bookwyrm-social/bookwyrm

Valid

Reported on

Aug 5th 2022

Description:

  1. Hello @bookwyrm-social I found a tabnabbing vulnerability. attack is possible due to taget=_blank or Tab nabbing via window.opener.

VISIT:- https://bookwyrm.social/

SUMMARY:

  1. I was browsing the site and found a tabnabbing vulnerability . As per the observation I found that attack is possible due to taget=_blank or Tab nabbing via window.opener. When you open a link in a new tab ( target="_blank" ), the page that opens in a new tab can access the initial tab and change it's location using the window.opener property.

STEPS TO REPRODUCE:

  1. 1- Open the website URL :- https://bookwyrm.social/

  2. 2- Right-click and click on inspect element

  3. 3- Locate the cursor to Element Tab then do CTRL+F or Search for taget="_blank"

  4. 4- If you get blank with a link it means website can be vulnerable like , open redirect like vulnerabilities

  5. 5- For More Details To Check the POC

POC Screenshot 1:

POC Screenshot 2:

MITIGATIONS:-

In order to mitigate this issue, developers are encouraged to use rel="nofollow noopener noreferrer" as follows: <a target="_blank" class="btn external-url" href=#" https://evil.com " rel="nofollow noopener noreferrer"><i class="fa fa-external-link"></i> </a>

Don't open links in new tabs using the target="_blank" Add attribute rel="noreferrer" which also disables referrer Set the window.opener attribute to null on the new tab before redirecting, like this: <script>var w=window.open(url, "target=_blank");w.opener= null;</script>

External links in main domain :

  1. https://www.patreon.com/bookwyrm
  2. https://www.ramaytush.org/

Impact

  1. This type of Phishing has huge potential for tricking users that click on external links from this(your) website to be a victim of a scam page because the redirecting is made in the background, while the user is focused on another tab.
We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
Mouse Reeve validated this vulnerability a year ago
AGNIHACKERS has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve marked this as fixed in 0.4.5 with commit 1518db a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
dashboard.html#L1-L147 has been validated
AGNIHACKERS
a year ago

Researcher

@maintainer are you happy to assign a CVE? please confirm, then only admin can move further

AGNIHACKERS
a year ago

Researcher

@admin can you pls assign a CVE for this?

AGNIHACKERS
a year ago

Researcher

@admin maintainer has requested a CVE via github here is the link, check that: https://github.com/bookwyrm-social/bookwyrm/security/advisories/GHSA-xq42-mq5w-m24x

So can we assign a CVE here?

Akshay Ravi
a year ago

Hey, in this case the maintainer has created and published security advisory only, the github staffs will verify this and assign CVE later(it may takes time accordingly), once the CVE is assigned by github, you can add the CVE number here and request admin for adding that to your profile

AGNIHACKERS
a year ago

Researcher

Okay @Akshay Ravi

Jamie Slome
a year ago

Admin

Hi 👋 Once the CVE is added to the GitHub Security Advisory, we can add it to this report. Please let me know once it receives a CVE number :)

AGNIHACKERS
a year ago

Researcher

@admin CVE-2022-35953 has assigned for this issue, can you please add this CVE on this report(CVE ID) https://github.com/bookwyrm-social/bookwyrm/security/advisories/GHSA-xq42-mq5w-m24x

Jamie Slome
a year ago

Admin

Sorted - the CVE has now been added to this report ♥️

to join this conversation