Bugs In The Browser Firefox's DATA URL Scheme Vulnerability

I will be as brief as possible. Here is the deal: attackers are able to launch Cross-site scripting attacks from any origin (kind of like universal XSS) or escalate their privileges to chrome (not trivial) by tricking the victim into performing an action, such as clicking on a link. The issue was found and tested on the latest Firefox release.

The vulnerability was discovered within the way Firefox handles the data: URL scheme. The data URL protocol is used to compose inline data streams, such as images, audio and video files, HTML pages, etc, etc, etc. According to the almighty Wikipedia:

The data: URI scheme defined in IETF standard RFC 2397, is an URI scheme that allows inclusion of small data items inline, as if they were being referenced to as an external resource. They tend to be far simpler than alternative inclusion methods, such as MIME with cid: or mid:. According to the wording in the RFC, data: URIs are in fact URLs, although they do not actually locate anything.

To cut the long story short, a problem occurs due to the fact that Firefox threats data: URLs the same way as javascript: URLs, i.e the origin of the generated content does not point to about:blank but to the initiating parent. Therefore, websites which allow user-supplied content but does not sanitize data: URLs when supplied as part of links and other dynamic components, could result into compromising the security of the visiting users and potentially the security of the hosting site.

It is also possible to escalate to chrome privileges, although it is not that trivial. This type of vulnerability can be used successfully on various types of extensions such as RSS feed readers, and in general browser components that make use of URLs extensively, to escape from the restricted sandbox and jump into the chrome from where attackers will be able to completely hijack the victim's browser, install badware to snoop on to private data that comes in and goes out and perform other malicious and illegal activities.

The simplest way to test and verify the bug is to create and host a page on a server, which contains the following text:

<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTs8L3NjcmlwdD4=">test</a>

When you click on the "test" link, pay attention on the alert pop-up title (the text inside the blue gradient if you are on Windows). Obviously the origin is still within the same context as the parent. This shouldn't be the case. If the same link is posted to myspace.com, attackers will successfully execute a Cross-site scripting attack, which is wormable, although it will not be as severe as the Samy worm. As I mentioned before, similar tactics can be used against known Firefox extensions and the Firefox browser itself in order to gain chrome privileges.

When I discovered this issue I thought that this is the intended behavior enforced by the browser. After investigating Opera and Safari for similar problems and reading more about data: URLs, it was more then clear that an inherent vulnerability is present within the Firefox browser. The best way to protect yourself from this kind of attack is to use white rather then black listings, i.e. you allow only http: and https: protocols, instead of allowing all protocols apart from javascript:. These tactics are applicable to both Web and Extension developers.