53°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • Day 54: Fixed a JS Vulnerability in Quill #100DaysOfIndieWeb

    February 12, 2017

    Thanks to @sebsel for pointing this out! 

    Quill has bookmarklets to quickly launch a few of the interface, specifically replies, bookmarks and favorites. I use the "favorite" bookmarklet on a regular basis, as it allows me to favorite the page I am viewing with just one click. The bookmarklet is quite simple. It essentially just redirects to Quill's "favorite" page with the URL of the page the browser was previously on in the query string, and it also appended a parameter "autosubmit=true". 

    Sebastiaan noticed that this was actually quite trivial to craft an attack for, by embedding an iframe in a web page with a URL of:

    <iframe src="https://quill.p3k.io/favorite?url=http://attacker.example.com/&autosubmit=true">

    The Javascript on the page would recognize the "autosubmit" parameter, and then helpfully click the "favorite" button for you! The worst part is it would be completely invisible! (This would only work if you were already logged in to Quill, but since Quill sets long cookie lifetimes it was likely you would have an active session already.)

    I can't believe I didn't notice this when I added that feature!

    My solution for this is to use a signed token that gets included in the bookmarklet URL. Now the bookmarklet includes a signed token with the autosubmit=true parameter. The only way to get that token is when you are signed in, and it's also keyed to your account. This means an attacker now has no way to generate a token that will trigger the automatic clicking of the "like" button. When Quill renders the "favorite" page, it first checks whether there is a token and validates that it matches the signed-in user, and if so, then it includes the Javascript that automatically clicks the button.

    Portland, Oregon
    Sun, Feb 12, 2017 8:28pm -08:00 #security #quill #100daysofindieweb
    1 like 3 mentions
    • Sebastiaan Andeweg

    Other Mentions

    • Aaron Parecki aaronparecki.com
      My 2017 Year in Review
      Thu, Jan 4, 2018 2:40pm -08:00
    • Sebastiaan Andeweg seblog.nl
      Day 29: responsible disclosures
      Mon, Feb 13, 2017 2:23pm -08:00
    • 100 Days of IndieWeb aaronparecki.com/tag/100daysofindieweb
      Day 54: Fixed a JS Vulnerability in Quill #100DaysOfIndieWeb: aaronparecki.com/2017/02/12/11/…
      Mon, Feb 13, 2017 4:28am +00:00 (via brid-gy.appspot.com)
Posted in /articles using quill.p3k.io

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv