-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WebTorrent http server XSS #5821
Labels
feature/webtorrent
Label for webtorrent related issues
QA Pass-Linux
QA Pass-macOS
QA Pass-Win64
QA/Test-Plan-Specified
QA/Yes
release-notes/include
security
Milestone
Comments
feross
added
security
QA/Yes
QA/Test-Plan-Specified
feature/webtorrent
Label for webtorrent related issues
labels
Aug 27, 2019
feross
added a commit
to brave/brave-core
that referenced
this issue
Aug 27, 2019
32 tasks
Fixed in webtorrent PR: webtorrent/webtorrent#1714 |
Changed milestones to 0.69.x because WebTorrent is upgraded to 0.107.16 in 0.69.x by brave/brave-core#3450. |
This was referenced Sep 23, 2019
Verification PASSED on
Reproduced using 0.68.141 CR: 77.0.3865.90Verified using 0.69.129 CR: 77.0.3865.90Verification passed on
Reproduced using 0.68.141 CR: 77.0.3865.90Verified using 0.69.129 CR: 77.0.3865.90Verification passed on
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
feature/webtorrent
Label for webtorrent related issues
QA Pass-Linux
QA Pass-macOS
QA Pass-Win64
QA/Test-Plan-Specified
QA/Yes
release-notes/include
security
Description
There's a low risk XSS in the WebTorrent http server. It relies on getting the user to visit an HTML page served by the WebTorrent http server but that we do not expose to Brave users in any UI or user flows.
The following steps are required to pull this off:
.torrent
file or magnet link which contains a specially-crafted torrent title or file name.http://localhost:12345/0/file.mp4
, then the user would need to modify it to visithttp://localhost:12345
, the server index page (which lists the files in the torrent).http://localhost:12345
origin.An alternative way to trigger this is:
.torrent
file or magnet link which contains a specially-crafted torrent title or file name.http://localhost:<port>
combinations until they find the one that WebTorrent is using.The reason this seems relatively low risk is that the WebTorrent HTTP server only allows fetching data pieces from the torrent. It doesn't support any other control of the torrent client. Furthermore, even if the attacker attacked the HTTP server itself somehow (e.g. via a malformed request) the HTTP server is being run in a sandboxed Chrome extension context, so potential for damage seems limited.
The only thing the WebTorrent http server origin can do is fetch pieces of the torrent. This origin is distinct from the WebTorrent extension origin, which does not contain an XSS. It seems that the most attacker code can do is e.g. figure out what content the user is downloading and exfiltrate that information to an external server.
The attacker could also install a service worker on
localhost:12345
and attempt to interfere with whatever server may run on that port in the future.Steps to Reproduce
Copied from H1 report.
Actual result:
Expected result:
Reproduces how often:
Easily reproduced
Brave version (brave://version info)
Version 0.71.41 Chromium: 76.0.3809.132 (Official Build) nightly (64-bit)
Version/Channel Information:
Other Additional Information:
Miscellaneous Information:
The text was updated successfully, but these errors were encountered: