Vulnerbility report - Established WebSocket session remains open #2
Comments
|
Hi @dz2742, Honestly I just released this extension yesterday so a zero-day is probably not an issue to discuss publicly. You can post it here. |
|
Changing proxy settings doesn't disconnect established WebSocket session <!DOCTYPE html>
<html>
<script>
const websocket = new WebSocket("wss://" + location.host + "/ws");
let logs = "";
websocket.addEventListener('message', event => {
logs = event.data + "\n" + logs;
document.body.innerText = logs;
});
setInterval(()=>{
websocket.send(Math.random());
}, 1000);
</script>
<img src="/delay">
</html> |
|
Nice catch, thank you for your work! I think that constitutes a full exploit and deserves the entire 100 USD in the pool. Would you like to donate some of that back for future reports? Let me know if so. Otherwise, do you accept bitcoin/cardano? Post your address here or send me an email at matus at matus io |
|
My pleasure, also congratulations on trending on HN front page! I would like to donate to other projects on Github, would you mind making a few one-time sponsorships in my place? |
dz2742-sponsor
changed the title
|
Yes of course and thank you! Do you have specific projects in mind? If not, I will look for some that I've used recently and post back here. |
I would like to donate 20 USD to each of them and the remaining 20 USD is yours, thank you 😃 |
|
Sponsorships sent I'll think of you dz2742 when I buy a beer with that twenty. :) P.S. Feel free to submit more vulnerabilities, I replenished the pool for another 100 USD. |
|
As far as my research goes, there doesn't seem to be a way to cut network access for in-progress connections from an Addon. Suppression for websockets specifically is to simply block all websockets in our container even before network lock is requested. However I believe the vulnerability still exists for other connections so I am leaving this issue open while I look into it. Particularly, any request body can be a ReadableStream that I predict will stay open for as long as I keep the stream open. I will do a POC to verify this. Any suggestions on how to fix this are welcome. |
|
It seems that WebRTC also enables data leaks, which is totally not surprising. TL; DR: Established WebRTC session remains open. A simple POC using peerjs:
|
|
Firefox has an offline mode (Alt key to bring out the menu bar - File - Work Offline) from the good old days, enabling it cuts existing connections including WebSocket. It's browser-wide so other tabs (especially video conference) will be affected. |
Unfortunately, it's not possible to control this through an extension. The homepage of the first extension contains "...except already connected WebSocket connections" and the second link uses However, there are three attack vectors I identified and here are the best solutions I could come up with:
Interesting note:
Other things I considered:
|
According to my testing the extension does cut out existing WebSocket, the second link is its source code. |
Thank you for this insight. I found that the extension does also inject a content script into the page and calls For WebRTC however |
- Blocking WebSockets - Blocking WebRTC - Tracking open connections, waits for all to close - Detailed view of each blocking status
|
This is now fixed in released version 0.0.3. Thanks for all your help! |
Hi,
I came for the bug bounty and I found one, what is the recommended way of communicating the details?
Thank you
The text was updated successfully, but these errors were encountered: