Cenzic 232 Patent
Paid Advertising
web application security lab
« .EDU Hacks And Ambulance Chasing
JavaScript Embedded in Homepage Links in Firefox »

Quicky Firefox Bookmarklet Backdoor

Every once in a while I see someone who really should know better leaving their desktop unattended. Sometimes you can change their homepage to porn sites, or send emails to their bosses telling them that they don’t need that pay raise after all and other such fun. Well, if you know the user isn’t utilizing Noscript you can modify their homepage to something a little more dangerous - a JavaScript bookmarklet.

You can see a demo here. Of course this relies on you having a web server set up with a malicious piece of JavaScript that you can include ahead of time. But I think this teaches two valuable lessons if done properly. 1) Use Noscript, even on your homepage and 2) Don’t leave your desktop unattended. Please don’t use it for evil!

This entry was posted on Tuesday, January 26th, 2010 at 12:44 pm and is filed under Webappsec, Anti-Virus. Responses are currently closed, but you can trackback from your own site.

18 Responses to “Quicky Firefox Bookmarklet Backdoor”

  1. Daniel Veditz Says:
    January 26th, 2010 at 2:08 pm

    Does this work as a homepage? My first thought, and experience when I try it, is that the script is injected into the empty about:blank document and only after that does document.location get changed.

  2. RSnake Says:
    January 26th, 2010 at 2:40 pm

    It worked on mine. It changes the URL to whatever the user had their old homepage as and then injects the JavaScript as an appended script.

  3. MustLive Says:
    January 26th, 2010 at 6:54 pm

    RSnake

    First of all, fix XSS vulnerability in parameter wolf. Even if you use “blog” path for WP cookies and even if use protections (such as NoScript), there are other peoples who can be attacked at your site.

  4. MustLive Says:
    January 26th, 2010 at 7:01 pm

    And about homepage functionality.

    If you missed my article Dark home about attacks via Homepages, then you can read it.

  5. Wornstrom Says:
    January 26th, 2010 at 7:04 pm

    Nice. Another of those “why didn’t I think of that?” exploits. You seem to always be the guy who does think of that.

  6. Nos Says:
    January 27th, 2010 at 2:14 am

    and i thought changing the shortcut to their browser to always go to a porn-site was evil…

  7. Wladimir Palant Says:
    January 27th, 2010 at 4:51 am

    RSnake, I actually agree with Daniel. Location changes usually happen asynchronously, the document isn’t being replaced until (at least) the connection to the server is established. So in the usual case your bookmarklet should only infiltrate about:blank. This might be different if the page in question is loaded from file:/// or is cached, would need to test that…

  8. Prashant Says:
    January 27th, 2010 at 5:23 am

    Well me n my friend have found several vulnerabilities in NASA’s server including jet propulsion lab. we have also found HTML injection.I m a daily reader of ur blog :) as i like it. so i thought of conveying u this news.

  9. sirdarckcat Says:
    January 27th, 2010 at 6:42 am

    javascript:while(1)self.close();

    is better IMHO..

  10. PaPPy Says:
    January 27th, 2010 at 6:53 am

    @RSnake
    “First of all, fix XSS vulnerability in parameter wolf.” - MustLive
    ya set wolf to http://www.test.com’);hacked.appendChild(hacked_js);XSS_HERE

    debating if i should submit it to xssed.com
    or post on the full disclosure post on the forums?

  11. PaPPy Says:
    January 27th, 2010 at 6:54 am

    damn forgot it would strip out my end textarea :(
    should be inbetween ; and xss_here

  12. kik Says:
    January 27th, 2010 at 8:08 am

    Shouldn’t the conclusion be instead 1°) don’t use computers 2°) don’t socialize with people? :)

  13. RSnake Says:
    January 27th, 2010 at 8:19 am

    @Wladimir - I see what you’re saying. My homepage was in fact cached, so perhaps that’s what I was seeing. I think a setTimeout might have the right effect in that case.

    @Mustlive & PaPPy - fixed. Thanks!

  14. wert12 Says:
    January 27th, 2010 at 10:36 am

    reminds me of IE that crashes when you zet a javascript code as homepage(IE6

  15. DigiP Says:
    January 29th, 2010 at 8:29 pm

    Doesn’t work in Opera using this default script, which I is a good thing. It will however launch the site I choose as a bookmark, but will not add the JS to the page at all. Might just need to be custom coded for Opera though, as I know they differ slightly for certain dom objects, but it DID work in FireFox without any issues.

  16. ste Says:
    February 3rd, 2010 at 1:58 pm

    setTimeout: somehow didnt work after location was set.

    so i inserted a loop which tires to find the head tag but it also didnt work 100%…

    solution: loop till you find the body tag, which means the head tag is already loaded and ready to use ;)

  17. Kishor Says:
    February 14th, 2010 at 11:57 am

    Having hard time to understand this.

    If they left their desktop unattended, I would probably disable noscript on their browser. or do other bad things too.

  18. antimatter15 Says:
    February 25th, 2010 at 9:02 pm

    Isn’t there a lot of worse things that could happen to an unattended computer?