CVE CyberSecurity Database News

CVE-2023-28164 - A Critical Vulnerability in Firefox and Thunderbird: Cross-Origin Iframe URL Dragging and Website Spoofing Attacks

Poster -

A critical vulnerability, identified as CVE-2023-28164, has been discovered in Mozilla Firefox, Firefox ESR, and Thunderbird, which affects versions prior to Firefox 111, Firefox ESR 102.9, and Thunderbird 102.9. The issue arises due to a flaw in Firefox's and Thunderbird's handling of cross-origin iframes while dragging URLs. Website spoofing attacks and user confusion might occur when exploiting this vulnerability, which poses a significant threat to users' privacy and security.

Exploit Details

The core issue of CVE-2023-28164 arises when a user drags a URL from a cross-origin iframe that was removed during the drag operation. As a result of this flaw, an attacker might potentially succeed in deceiving users by employing website spoofing attacks. During such attacks, malicious actors impersonate legitimate websites to steal users' sensitive information, such as login credentials and personal data, or even spread malware.

To illustrate the core problem, let's consider the following code snippet

<!-- Attacker's malicious website: malicious-example.com -->

<!DOCTYPE html>
<html>
<head>
  <title>Malicious Website</title>
</head>
<body>
  <iframe id="iframeVulnerable" src="https://legit-site.com"; style="position:absolute; width: 100%; height: 100%;">
  </iframe>
  <script>
    document.getElementById("iframeVulnerable").addEventListener("dragstart", function(event) {
      setTimeout(function() {
        document.getElementById("iframeVulnerable").remove();
      }, );
    });
  </script>
</body>
</html>

In this example, an attacker could set up a malicious website hosting an embedded iframe pointing to a legitimate website (in this case, "legit-site.com"). Upon dragging a URL from the legit website, the attacker initiates a script to remove the iframe, potentially leading to user confusion or a website spoofing attack.

Thunderbird 102.9

Users are strongly advised to update their Firefox and Thunderbird installations to the latest versions to protect themselves from potential attacks.

For more details about the vulnerability and patch release, please refer to the following resources

- Mozilla Foundation Security Advisory 2023-15
- Mozilla Firefox Patch Release Notes
- Mozilla Thunderbird Patch Release Notes
- National Vulnerability Database (NVD) Entry for CVE-2023-28164

In conclusion, CVE-2023-28164 presents a serious threat to users' privacy and security by exploiting a flaw in Firefox and Thunderbird's handling of cross-origin iframe URL dragging. To keep your system secure, update to the latest versions of Mozilla's software and be cautious when interacting with websites that may contain suspicious embedded iframes. Always verify the legitimacy of a website before inputting sensitive information.

Timeline

Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/09/2023 16:03:00 UTC