skip to content
Back to GitHub.com
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
May 23, 2024

GHSL-2024-015: Cross-Site Request Forgery (CSRF) in the livemarks browser extension - CVE-2024-30252

Kevin Stubbings

Coordinated Disclosure Timeline

Summary

The livemarks browser extension is vulnerable to a CSRF attack. A malicious website may be able to coerce the extension to send an authenticated GET request to an arbitrary URL.

Project

livemarks

Tested Version

v3.6

Details

Authenticated blind CSRF in background.js (GHSL-2024-015)

The subscribe.js script uses the first parameter from the current URL location as the URL of the RSS feed to subscribe to and checks that the RSS feed is valid XML.

subscribe.js

async function main() {
  const queryString = location.search.substring(1).split("&");
  const feedUrl = decodeURIComponent(queryString[0]);
...
const feed = await browser.runtime.sendMessage({
      msg: "get-feed",
      feedUrl
    });

feed-parser.js

const FeedParser = {
  fetchXML(url) {
    return new Promise((resolve, reject) => {
      const request = new XMLHttpRequest();
      request.open("GET", url, true);
    const doc = await this.fetchXML(url);

subscribe.js is accessible by an attacker website due to its use in subscribe.html, an HTML page that is declared as a web_accessible_resource in manifest.json

manifest.json

"web_accessible_resources": [
    "pages/subscribe/subscribe.html"
  ]

Impact

This issue may lead to Privilege Escalation. A blind CSRF breaks the integrity of servers running on a private network. A user of the browser extension may have a private server with dangerous functionality, which is assumed to be safe due to network segmentation. Upon receiving an authenticated request instantiated from an attacker, this integrity is broken.

Proof of Concept

A leak of the UUID is necessary to exploit this vulnerability, since the extension is for Firefox only. If an attacker can convince the user to install an additional extension with permissions that don’t directly allow them to make authenticated requests, for example the management permission, then an attacker may be able to leak the UUID and pivot from the approved permission to CSRF. In this scenario, the attacker would gain the ability to send SameSite cookies because livemarks has permissions for all urls.

Host the following html:

<iframe
src="moz-extension://80ee9db1-93c8-40ac-a721-9b375ef3a569/pages/subscribe/subscribe.html?attacker-supplied.domain>
</iframe>

Visit this html page with the livemarks browser extension installed, resulting in the authenticated request to attacker-supplied.domain.

CVE

Credit

This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-015 in any communication regarding this issue.