Jan 26, 2010

Blogger allows to run arbitrary Javascript

I guess this is a known issue since it's so simple to do it, anyways I think people should be aware of this.
Editing a blog post I realized that Blogger allows to run arbitrary Javascript in the blogs, this is good and bad. It's good because you can post demo code and run it, track users, modify the web pages at will, etc. But it's bad because it can be used as a malware distributing system, to steal information from blog visitors, to exploit browser vulnerabilities, etc.

Naif demo: Click here

BTW: It's not possible to steal Blogger cookies if you are logged since Blogger cookies are used only on Blogger.com and not on *.blogspot.com.

3 comments:

SkyLined said...

This is by design. You cannot access anything important from the domain that the JavaScript is running under, so there really is nothing to steal. There are so many places you can host JavaScript that adding another place really is not a particular worry.

I've been using it for years to redirect my old blog to my new one, making sure that the "path" of the URL is translated.

view-source:http://berendjanwever.blogspot.com

Look for this:
var sUrl = "http://skypher.com/wiki/index.php?title=" + location.href.substr(7);
try { location.replace(sUrl); } catch (e) {
try { location = sUrl; } catch (e) { }
}

(Yes, I know my wiki is currently dead :S)

Cheers,
SkyLined

Cesar Cerrudo said...

@SkyLined yes I thought it could be known, anyways I think that allowing JavaScript on blogs is not safe it can be abused in too many ways.

Cesar Cerrudo said...

@SkyLined I forgot to mention an example, if you look at my previous blog post and comments you will see that the Chrome and Safari issue could be exploited from any Blogger blog to own Blogger users. For instance if you visit my blog with Chrome or Safari while you are logged to Blogger then I can hack your blog.