This vulnerability is cute but not very useful mainly because a lot of social engineering is required. However, here is an interesting thought for you: instead of asking the user into bookmarking a page you can supply the bookmark directly to their browser by using Live Bookmarks. So, a mainstream attack will be when a SPLOG network injects malicious links into their feeds. If someone happens to be subscribed to this network with a Live Bookmark and they click on it... well you know. I haven't tested this, although it should work. So, although I would rate this issue as low risk, it could as well be quite high or at least medium. cheers On 2/22/07, Michal Zalewski <lcamtuf@xxxxxxxxxxxx> wrote:
On Thu, 22 Feb 2007, pdp (architect) wrote: > michal, is that a feature or a bug? maybe it is not obivous to me what > you are doing but it i feel that it is almost like asking the user to > bookmark a bookmarklet. Bookmarklets should be bookmarkable only manually, with user knowledge and consent (that is, you need to copy-and-paste the URL, etc). This seems to be the case for javascript: URLs. Here, the situation is different: the user can, and quite likely will, unknowingly bookmark a script while attempting to bookmark a regular page via Ctrl-D + <return>. He doesn't expect or want this code to later run in the context of his start page or any other resource (principle of least astonishment, etc, etc). Cheers, /mz
-- pdp (architect) | petko d. petkov http://www.gnucitizen.org