Coordinated Disclosure Timeline
- 2024-02-23: Report submitted via Private Vulnerability Reporting
- 2024-03-01: Vulnerability Patched in v3.7
- 2024-04-01: CVE-2024-30252 Assigned
Summary
The livemarks browser extension is vulnerable to a CSRF attack. A malicious website may be able to coerce the extension to send an authenticated GET request to an arbitrary URL.
Project
livemarks
Tested Version
v3.6
Details
Authenticated blind CSRF in background.js (GHSL-2024-015)
The subscribe.js script uses the first parameter from the current URL location as the URL of the RSS feed to subscribe to and checks that the RSS feed is valid XML.
async function main() {
const queryString = location.search.substring(1).split("&");
const feedUrl = decodeURIComponent(queryString[0]);
...
const feed = await browser.runtime.sendMessage({
msg: "get-feed",
feedUrl
});
const FeedParser = {
fetchXML(url) {
return new Promise((resolve, reject) => {
const request = new XMLHttpRequest();
request.open("GET", url, true);
const doc = await this.fetchXML(url);
subscribe.js is accessible by an attacker website due to its use in subscribe.html, an HTML page that is declared as a web_accessible_resource in manifest.json
"web_accessible_resources": [
"pages/subscribe/subscribe.html"
]
Impact
This issue may lead to Privilege Escalation. A blind CSRF breaks the integrity of servers running on a private network. A user of the browser extension may have a private server with dangerous functionality, which is assumed to be safe due to network segmentation. Upon receiving an authenticated request instantiated from an attacker, this integrity is broken.
Proof of Concept
A leak of the UUID is necessary to exploit this vulnerability, since the extension is for Firefox only. If an attacker can convince the user to install an additional extension with permissions that don’t directly allow them to make authenticated requests, for example the management permission, then an attacker may be able to leak the UUID and pivot from the approved permission to CSRF. In this scenario, the attacker would gain the ability to send SameSite cookies because livemarks has permissions for all urls.
Host the following html:
<iframe
src="moz-extension://80ee9db1-93c8-40ac-a721-9b375ef3a569/pages/subscribe/subscribe.html?attacker-supplied.domain>
</iframe>
Visit this html page with the livemarks browser extension installed, resulting in the authenticated request to attacker-supplied.domain.
CVE
- CVE-2024-30252
Credit
This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-015 in any communication regarding this issue.