Security: HTML cache descriptions can fake website elements

[+Arielek]

Hello.

Using fixed positioning it is possible to create a HTML cache description is such a way, that we are able to display convincing official-looking popups/headers. If you place the code below in a cache description, then the website will display a popup message. With proper styling it would look like an official message from the website and could fool many users. 

It is clear to me, that the website already does some HTML-cleaning and does some checks (even in real-time in the browser), but I do believe it still needs some improvements.

User provided HTML 100% should never be able to do this.
 

<div style="position:fixed;z-index:99999;left:calc(50vw - 335px);top:calc(50vh - 335px);">
	<div style="background-color:white;border-radius:20px;box-shadow:2px 2px 2px gray;width:650px;font-size:20px;height:calc(30vh);border:3px solid #02874d;display:flex;align-items:center;justify-content:center;">
		<a href="https://google.com/" style="color:black;">Free Premium! Click now!</a>
	</div>
</div>

 

[+arisoft]

I have been aware of this for a long time because I have used relative positioning of elements but never used fixed positioning in cache descriptions because it is too disturbing.

 

From the security view, the actual problem is not the possibility to create credible looking buttons, but possibility to create arbitrary links. This kind of scam works also without fixed positioning.

[+Arielek]

Even without links this is a fantastic tool for phishing attacks. I could even cover the whole website if I wanted, a big no-no. The more convincing I am able to make the attack - the security issue becomes bigger. 

 

One thing I am 100% confident is that user generated content should never, ever be able to spoof actual website elements. I am only a frontend developer, but any security researcher would agree after seeing the screenshot. 

 

Arguing if this is an issue (it is) would take more time than just to fix this. 

Edited November 8, 2021 by Arielek

[+dprovan]

I've seen it used in puzzle caches. I'm not making an argument, just an observation.

[+thebruce0]

Ditto. The HTML is already heavily sanitized, but the positioning has been around through it all. I've used it before, lightly, but understand that if one uses that then it makes the listing heavily reliant on a certain display context to look correct. At least if related to relation to the description 'box' of the website listing. Apps/devices that display descriptions with HTML may very well completely botch it.

Of course none of that addresses illegitimate/inteionally unsafe use (abuse) of it as in the phishing context mentioned.

 

They addressed this for public profile content quite some time back in an update.  My guess is they didn't update listings in the same way because they have an added layer of reviewer approval, and as mentioned the type of content a user could put into positioned content is already heavily sanitized that it'd be rendered primarily an annoyance at worst.  They probably made a cost/benefit decision on it back then.