+Arielek Posted November 7, 2021 Share Posted November 7, 2021 Hello. Using fixed positioning it is possible to create a HTML cache description is such a way, that we are able to display convincing official-looking popups/headers. If you place the code below in a cache description, then the website will display a popup message. With proper styling it would look like an official message from the website and could fool many users. It is clear to me, that the website already does some HTML-cleaning and does some checks (even in real-time in the browser), but I do believe it still needs some improvements.User provided HTML 100% should never be able to do this. <div style="position:fixed;z-index:99999;left:calc(50vw - 335px);top:calc(50vh - 335px);"> <div style="background-color:white;border-radius:20px;box-shadow:2px 2px 2px gray;width:650px;font-size:20px;height:calc(30vh);border:3px solid #02874d;display:flex;align-items:center;justify-content:center;"> <a href="https://google.com/" style="color:black;">Free Premium! Click now!</a> </div> </div> Quote Link to comment
+arisoft Posted November 7, 2021 Share Posted November 7, 2021 I have been aware of this for a long time because I have used relative positioning of elements but never used fixed positioning in cache descriptions because it is too disturbing. From the security view, the actual problem is not the possibility to create credible looking buttons, but possibility to create arbitrary links. This kind of scam works also without fixed positioning. Quote Link to comment
+Arielek Posted November 8, 2021 Author Share Posted November 8, 2021 (edited) Even without links this is a fantastic tool for phishing attacks. I could even cover the whole website if I wanted, a big no-no. The more convincing I am able to make the attack - the security issue becomes bigger. One thing I am 100% confident is that user generated content should never, ever be able to spoof actual website elements. I am only a frontend developer, but any security researcher would agree after seeing the screenshot. Arguing if this is an issue (it is) would take more time than just to fix this. Edited November 8, 2021 by Arielek Quote Link to comment
+dprovan Posted November 9, 2021 Share Posted November 9, 2021 I've seen it used in puzzle caches. I'm not making an argument, just an observation. Quote Link to comment
+thebruce0 Posted November 12, 2021 Share Posted November 12, 2021 Ditto. The HTML is already heavily sanitized, but the positioning has been around through it all. I've used it before, lightly, but understand that if one uses that then it makes the listing heavily reliant on a certain display context to look correct. At least if related to relation to the description 'box' of the website listing. Apps/devices that display descriptions with HTML may very well completely botch it. Of course none of that addresses illegitimate/inteionally unsafe use (abuse) of it as in the phishing context mentioned. They addressed this for public profile content quite some time back in an update. My guess is they didn't update listings in the same way because they have an added layer of reviewer approval, and as mentioned the type of content a user could put into positioned content is already heavily sanitized that it'd be rendered primarily an annoyance at worst. They probably made a cost/benefit decision on it back then. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.