Cross-strike scripting

Developers patched a security vulnerability in a web application that accompanied the Global Climate Strike – just one week before the protests took place last Friday.

The Digital Climate Strike widget was developed as a means for organizations and anyone with a website to show solidarity with the activists who were demanding action over the global climate crisis.

The free utility took the form of a website banner that expanded to full screen on the day of the protests on September 20, temporarily blocking access to the sites in order to highlight the environmental campaign.

The web initiative was embraced by dozens of tech organizations, including WordPress, Tumblr, the Wikimedia Foundation, Drupal, and the Tor Project.

With just one week to go, however, Frederik Braun, security engineer at Mozilla, alerted the developers to a cross-site scripting (XSS) vulnerability that could have allowed an attacker to use the widget to execute malicious code and potentially hijack user accounts.

“[The receiveMessage] function is meant to be a simple redirect,” Braun explained in a blog post published earlier today.

“However, the linkUrl is not being checked against a list of known URLs. We could just redirect to javascript: URLs.”

Rapid fix

Providing additional information on the security flaw he discovered in the Global Climate Strike widget, Braun told The Daily Swig: “The impact of an XSS vulnerability through a buggy JS file is that of any XSS vulnerability: the scope of the attack is that of another user being exploited.”

Left unpatched, the vulnerability could have allowed an attacker to access users’ private messages, or create, delete, and modify personal posts, the researcher said.

“Furthermore, one could add fake login forms and try to steal the user’s password,” he added.

The developers of the widget quickly implemented a bug fix based on Braun’s suggestions, shielding those sites from any potential security risk.

“When I found the bug, I reached out to the organizers by creating a patch and publicly asking for it to be applied through a pull request on GitHub,” Braun explained.

“Secondly, I reached out the public email address as listed on their profile. This was all late in the day my time (CEST). They responded within a couple of hours and fixed it.”

The Daily Swig has approached the developers of the Digital Climate Strike app for comment.


YOU MAY ALSO LIKE Researcher gives low-down on serious uXSS flaw in Microsoft Edge