Security issue - Javascript Bookmark Execution - Chrome as Attack Vector
1,201 views
Skip to first unread message
Fabien K.
Jan 31, 2024, 5:56:51 PM1/31/24
to Chromium-discuss
Dear Community,
Our company has noticed an increased volume of phishing attempts involving the execution of Javascript in bookmarks.
Scammers trick users, through social engineering, to drag and drop a picture button into their bookmark browser area, then to open a tab on a service they are logged in and to click the bookmark button. The social engineering story is about performing a "verify you are not a robot" control, and the picture button texts something akin to "Anti-bot Checker".
The Javascript then sends secret tokens extracted from cookies or localStorage to 3rd party malicious websites where they are up for grab by the scammers - simple GET request with the secrets in parameters.
Example for you to test:
1. Create a blank HTML file and put in the following content:
<a href="javascript:window.alert(document.cookie);"><img src="https://ssl.gstatic.com/ui/v1/icons/mail/rfr/logo_gmail_lockup_default_2x_r5.png" alt="ANTIBOT CHECK"></img></a>
2. Save locally and open the file
3. Drag and drop the picture into your bookmark bar
4. Open this discussion tab again and click on the shortcut.
I can understand that having Javascript actions in bookmarks can prove useful to developers, however the feature is increasingly being leveraged as an attack vector.
Non tech-savvy users do not need to execute Javascript in Bookmarks.
I recommend Javascript execution in bookmark addresses to be disabled by default, and an option to be added should users want to enable the feature again.
I hope this post gets some attention, let me know of your feedback.
Regards
The Javascript then sends secret tokens extracted from cookies or localStorage to 3rd party malicious websites where they are up for grab by the scammers - simple GET request with the secrets in parameters.
Example for you to test:
1. Create a blank HTML file and put in the following content:
<a href="javascript:window.alert(document.cookie);"><img src="https://ssl.gstatic.com/ui/v1/icons/mail/rfr/logo_gmail_lockup_default_2x_r5.png" alt="ANTIBOT CHECK"></img></a>
2. Save locally and open the file
3. Drag and drop the picture into your bookmark bar
4. Open this discussion tab again and click on the shortcut.
I can understand that having Javascript actions in bookmarks can prove useful to developers, however the feature is increasingly being leveraged as an attack vector.
Non tech-savvy users do not need to execute Javascript in Bookmarks.
I recommend Javascript execution in bookmark addresses to be disabled by default, and an option to be added should users want to enable the feature again.
I hope this post gets some attention, let me know of your feedback.
Regards
Fabien K.
Feb 20, 2024, 12:51:53 PM2/20/24
to Chromium-discuss, Fabien K.
Hello Community,
is this getting any attention?
I am kind of surprised that Google Chrome can be that easily leveraged against unsuspecting users for running malicious Javascript...
What would you recommend in order to get this topic properly reviewed?
Adam Rice
Feb 21, 2024, 4:18:35 AM2/21/24
to fabien....@sandbox.game, Chromium-discuss
Please file a security issue as described at https://www.chromium.org/Home/chromium-security/reporting-security-bugs/. This should get the attention of the right people.
Since this ability to create bookmarklets is intended, you will need to provide good evidence of active exploitation to convince people that a change of behaviour is warranted.
--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss
Fabien K.
Feb 21, 2024, 8:47:53 AM2/21/24
to Chromium-discuss, Adam Rice, Chromium-discuss, fabien....@sandbox.game
Hello Adam,
Thank you for your helpful response. I will fill in a Security Report following your indications.
Thank you for your helpful response. I will fill in a Security Report following your indications.
In my original post, you can find details about the ongoing issue, along with a reproducible and inoffensive test that can be performed to gain clarity on this topic. Once again, the problem is that Chrome allows JavaScript to be executed in bookmarks by default, which is currently exploited by active scam operations online. The Chrome "feature" has transformed into an active attack vector in the wild.
Unfortunately, I do not have an ongoing threat example to showcase at the moment – we have taken down the previous scam website that exploited the Chrome feature. However, I am confident that the reviewers will understand the problem and give it a proper review nonetheless.
Best regards,
Unfortunately, I do not have an ongoing threat example to showcase at the moment – we have taken down the previous scam website that exploited the Chrome feature. However, I am confident that the reviewers will understand the problem and give it a proper review nonetheless.
Best regards,
Vetrivel
Mar 4, 2024, 3:27:54 PM3/4/24
to fabien....@sandbox.game, Chromium-discuss
Ignore it. Usually these are temporary window for higher authoritaties targeting someone for worldly affairs through middle management owning chrome.
It will be reported in two months later as a bug and it got fixed.
I noticed one happening, and I reported a security issue through js memory leak.
If im right, mine two events and your report must have happened at same interval. And next event will happen again, and you will push your intellect to extreme to find a hole in the system.
Take it light, you will notice more.
--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss
---
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.
Reply all
Reply to author
Forward
0 new messages