There is an interesting vulnerability in how Firefox handles bookmarks. It is relatively easy to trick a casual user into bookmarking a window that does not point to any physical location, but rather, is an inline data: URL scheme otherwise convincingly pretending to be a "tangible" webpage.

When such a link is later retrieved, Javascript code placed therein will execute in the context of a last visited webpage. This is a technique used by a legitimate mechanism of bookmarklets - except that bookmarklets never attempt to camouflage as a webpage, cannot be normally added with Ctrl-D alone, and are expected to be entered and invoked as a conscious user action instead.

The impact of such a vulnerability isn't devastating, but any attention-grabbing webpage can spawn such a window for the user to bookmark, and then exploit this to launch attacks against, for example, common start pages such as Google, MSN, or AOL, possibly stealing credentials for services such as Google Mail. In an unlikely case the victim is browsing local files or special URLs, system compromise is possible.

Thanks to Piotr Szeptynski for bringing up the subject of bookmarks and inspiring me to dig into this.

To run a quick demo, follow these steps:

1. Click here to begin the test.


2. Follow the displayed instructions: bookmark the page, close the window.

   (...later...)



3. Visit Google.com homepage.


4. Open your bookmarks, choose the recently added entry ("Amazingly cool page!").

Depending on the outcome of this test, you will be taken back to an appropriate page on this server.

Note that the attack may not work as-is with NoScript plugin (but since the code is executed in the context of the targeted website, this utility might not offer a 100% protection).

Questions and comments: Michal Zalewski <lcamtuf@coredump.cx>.