Mozilla Firefox implements a unqiue, strictly internal wyciwyg:// pseudo-URI scheme to sort and later reference locally cached pages that were generated or modified scriptually on client side (a common practice for Web 2.0 sites).

Unfortunately, access control for wyciwyg:// URIs is largely inefficient. Although meant to be inaccessible to mere mortals, cached documents can be reached through XMLHttpRequest or IFRAMEd view-source: (with proper same-domain policy implementation, but allowing rogue sites to store arbitrary markers on victim's computer, bypassing cookie settings); and, more disturbingly, through HTTP 302 redirects, in which case, same-domain policy is not checked properly. The last option enables the attacker to:

• Steal sensitive information previously displayed on susceptible sites,
• Perform browser cache poisoning by injecting own content into existing documents,
• Perform old-schooled URL bar spoofing, but complete with SSL state data

Uncool. I provided a quick demonstration of that last option against a fictious bank of mine, hosted at a distinct domain (beaverbank.dione.cc). To test your browser, follow these steps:

1. Go to Beaver Creek Bank and click on the login button,
2. Close Beaver Bank window - feel free to kill some time if desired,
3. Click on the button below to intercept previously edited page and replace its contents.

Should beaverbank.dione.cc be a SSL site with a valid certificate, our spoofed page would also appear to have a valid cert - which puts the attack a notch above your typical URL bar spoofing scenario. Also, as indicated above, should any of the dynamically geenrated or modified pages contain sensitive information, we could divert that data elsewhere (there are several large webmail providers who would be vulnerable).

Questions and comments: Michal Zalewski <lcamtuf@coredump.cx>.