Created
April 26, 2015 23:49
-
-
Save thejh/6161dda44cd2b468e291 to your computer and use it in GitHub Desktop.
Tahoe-LAFS PoC comment
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| I made a PoC that shows one possible way to exploit this. Use a Tahoe-LAFS instance that is connected to the testnet, browse to different URLs in the testnet, then navigate the same tab to this URL: | |
| http://localhost:3456/file/URI%3ACHK%3A6hxsjrbtiyjohpj7i7bn6dqixi%3Ail3humxxej53gg6bpr3l5ecxrqdg6wnd5ceuq33vqtrivvrhlfeq%3A1%3A6%3A1262/@@named=/historysteal.html | |
| Click anywhere on the page. The following attack will happen: | |
| ------------------------- | |
| The evil HTML file opens itself in a second tab using "window.open(location.toString(), 'foo')" (requires a click to bypass popup blockers). Then the evil HTML file in the second tab can | |
| access the first tab using "window.opener". The evil second tab does this again and again: | |
| - run window.parent.history.go(-1) to let the first tab go one step back in the browsing history | |
| - grab the current URL of the first tab using window.parent.location.toString() | |
| - send the URL out to the attacker's server | |
| This will work until a page with a different origin is reached. | |
| ------------------------- | |
| After the attack has run, you'll see the URLs that you have visited in the same tab before. | |
| This is a copy of the HTML file: | |
| https://var.thejh.net/lafs_historysteal.html.bin |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment