Cenzic 232 Patent
Paid Advertising
web application security lab

Quicky Firefox Bookmarklet Backdoor

Every once in a while I see someone who really should know better leaving their desktop unattended. Sometimes you can change their homepage to porn sites, or send emails to their bosses telling them that they don’t need that pay raise after all and other such fun. Well, if you know the user isn’t utilizing Noscript you can modify their homepage to something a little more dangerous - a JavaScript bookmarklet.

You can see a demo here. Of course this relies on you having a web server set up with a malicious piece of JavaScript that you can include ahead of time. But I think this teaches two valuable lessons if done properly. 1) Use Noscript, even on your homepage and 2) Don’t leave your desktop unattended. Please don’t use it for evil!

18 Responses to “Quicky Firefox Bookmarklet Backdoor”

  1. Daniel Veditz Says:

    Does this work as a homepage? My first thought, and experience when I try it, is that the script is injected into the empty about:blank document and only after that does document.location get changed.

  2. RSnake Says:

    It worked on mine. It changes the URL to whatever the user had their old homepage as and then injects the JavaScript as an appended script.

  3. MustLive Says:

    RSnake

    First of all, fix XSS vulnerability in parameter wolf. Even if you use “blog” path for WP cookies and even if use protections (such as NoScript), there are other peoples who can be attacked at your site.

  4. MustLive Says:

    And about homepage functionality.

    If you missed my article Dark home about attacks via Homepages, then you can read it.

  5. Wornstrom Says:

    Nice. Another of those “why didn’t I think of that?” exploits. You seem to always be the guy who does think of that.

  6. Nos Says:

    and i thought changing the shortcut to their browser to always go to a porn-site was evil…

  7. Wladimir Palant Says:

    RSnake, I actually agree with Daniel. Location changes usually happen asynchronously, the document isn’t being replaced until (at least) the connection to the server is established. So in the usual case your bookmarklet should only infiltrate about:blank. This might be different if the page in question is loaded from file:/// or is cached, would need to test that…

  8. Prashant Says:

    Well me n my friend have found several vulnerabilities in NASA’s server including jet propulsion lab. we have also found HTML injection.I m a daily reader of ur blog :) as i like it. so i thought of conveying u this news.

  9. sirdarckcat Says:

    javascript:while(1)self.close();

    is better IMHO..

  10. PaPPy Says:

    @RSnake
    “First of all, fix XSS vulnerability in parameter wolf.” - MustLive
    ya set wolf to http://www.test.com’);hacked.appendChild(hacked_js);XSS_HERE

    debating if i should submit it to xssed.com
    or post on the full disclosure post on the forums?

  11. PaPPy Says:

    damn forgot it would strip out my end textarea :(
    should be inbetween ; and xss_here

  12. kik Says:

    Shouldn’t the conclusion be instead 1) don’t use computers 2) don’t socialize with people? :)

  13. RSnake Says:

    @Wladimir - I see what you’re saying. My homepage was in fact cached, so perhaps that’s what I was seeing. I think a setTimeout might have the right effect in that case.

    @Mustlive & PaPPy - fixed. Thanks!

  14. wert12 Says:

    reminds me of IE that crashes when you zet a javascript code as homepage(IE6

  15. DigiP Says:

    Doesn’t work in Opera using this default script, which I is a good thing. It will however launch the site I choose as a bookmark, but will not add the JS to the page at all. Might just need to be custom coded for Opera though, as I know they differ slightly for certain dom objects, but it DID work in FireFox without any issues.

  16. ste Says:

    setTimeout: somehow didnt work after location was set.

    so i inserted a loop which tires to find the head tag but it also didnt work 100%…

    solution: loop till you find the body tag, which means the head tag is already loaded and ready to use ;)

  17. Kishor Says:

    Having hard time to understand this.

    If they left their desktop unattended, I would probably disable noscript on their browser. or do other bad things too.

  18. antimatter15 Says:

    Isn’t there a lot of worse things that could happen to an unattended computer?