How to fix the target=”_blank” exploit

I was bored whilst waiting for a Git repo to clone so I decided to play around a little with a very old exploit (four or five months old), so I wasn’t expecting much. The exploit I’m talking about is the target=”_blank” one. What happens is that when you open a link in a new tab, you have access to window.opener.location and that is accessible across origins (CORS).

All you need on your site to test the exploit is :

<script>
  if (window.opener) { opener.location = 'https://bukssaayman.co.za/you-have-been-hacked/'; }
</script>

Examples:
(Single left-) Click here : you’ll just see my site open in a new tab
(Single left-) Click here : and watch the original window change to my “you’re hacked page”

I was keen to test this on a few social media sites where I have links to my blog. I never expected Facebook to be susceptible to this exploit but it was one of the first that I found to be susceptible. On my profile’s about page, when you click on my website URL, it opens in a new tab and the old one redirects to my “you’re hacked page”. Crazy.

The possibilities with this is endless. You can setup a spoof page for any social network or site you want to steal users’ credentials for and once they click on your link on the real site, their logged in user will be redirected to your fake site where they will be logged out, asking them to log back in, and so you steal their login details.

I alerted Facebook via their bug bounty program explaining the whole situation. After about 10mins I went to check and they fixed the bug, but had given no response on my ticket I logged. At the time of writing this blog entry, it’s been a few days and I still have not received a response. I’m not expecting an award, just an acknowledgement that I helped them out would be great.

Anyway, if your blog or site is affected by this, contact me to help you sort it out.