gratipay / security-00004 Goto Github PK

Reported by hami hax to [email protected]:

Hello Team,
I'd like to report to you a nice little bug about opening links in new tabs.
When you open a link in a new tab ( target="_blank" ), the page that opens in a new tab can access the initial tab and change it's location using the window.opener property.

POC:
http://newbangaloreprojects.com/non.html (just click on the link, don't worry, no harm will be done).
Don't right-click it and open it in new tab, don't use the mouse wheel to open it, don't Ctrl+Click, just do a normal click on the link.

The javascript code that does all the magic:
window.opener.location.
replace(newURL);

when some one click on link automatic redirect
http://newbangaloreprojects.com/loginpy.html
my phishing page :-p

I hope you see why this is dangerous: this method has huge potential for tricking /gratipay.com/ that click on external links from this site to be a victim of a scam page because the redirecting is made in the background, while the user is focused on another tab.
More then that, some browsers like Mozilla for Android don't even display the URL, just the page title, so the user has no way of knowing that he was redirected to a scam page.
Tested on Chrome version 36 (latest version), Firefox for Windows and Android (latest versions). Websites that protect themselves against this kind of attack: google.com websites, twitter.com (they open links in new tabs, but the window.opener property is set to null)

Here`s the code i use this exploit

<html>
<script>
window.opener.location.replace('http://newbangaloreprojects.com/loginpy.html');
</script>
My cool page with some funny cat pictures.<br> <br>
<img style="height:400px; width:300px;" src="http://static.tumblr.com/81b6d42b4064def5e9062d5f4410c820/betml74/Yl5ml0lia/tumblr_static_impress.jpg">
</html>

i hope you check it Thanks :)