Uploaded image for project: 'XWiki Rendering'
  1. XWiki Rendering
  2. XRENDERING-462

target="_blank" vulnerability makes phishing attacks possible

    XMLWordPrintable

Details

    • N/A
    • N/A

    Description

      I've discovered a new kind of attack: target="_blank".

      When you create a new link with the attribute target="_blank", the link is open in a new window. However, the page inside this new window can still control the previous window using javascript. Of course, some API are restricted, but window.location is not.

      It means that the new website can redirect the initial window to a phishing page, that looks like the real XWiki, but actually ask for the credentials...

      Apparently, this vulnerability is very common and badly known...

      Some explanation: https://dev.to/phishing

      XWiki is vulnerable to this. I have created a new page with this link:

      [[https://dev.to/||target="_blank"]]
      

      which is the syntax we suggest in our Help Guide.

      When you click on it, the website dev.to is open in a new window, but in the same time, the first window is going to https://dev.to/phishing.

      Fortunately, preventing this is easy. All we need to do is to add rel="noopener noreferrer" as an attribute of every link that already have target="_blank".

      This could be done in our rendering system and also in the HTMLCleaner.

      Attachments

        Issue Links

          Activity

            People

              gdelhumeau Guillaume Delhumeau
              gdelhumeau Guillaume Delhumeau
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: