Hello All, Following the discovery of the iframe content to execute JS in TiddlyWiki, I began pentesting TW to find other methods of executing JS, but without any kind of sandbox. What I discovered is that TW correctly sanitizes <script> tags, but did not know how to deal with base64 encoded urls.
What I was then able to do was create an auto-executing JavaScript keylooger using this method, which is invisible to the user. Below is a minimal-reproducible example of the code I used. <object data="data:text/html;base64,PHNjcmlwdD4KdmFyIGtleWxvZyA9IFtdOwpkb2N1bWVudC5hZGRFdmVudExpc3RlbmVyKCdrZXl1cCcsIGZ1bmN0aW9uKGUpewprZXlsb2cucHVzaChlLndoaWNoKTsKYWxlcnQoa2V5bG9nKTsKfSk7Cjwvc2NyaXB0Pg=="></object> Try pasting it into a tiddler, and it will alert your keystrokes back to you. What makes this more dangerous than the iframe is that it has DIRECT ACCESS to your TW instance, so practically anything can be done. For example, I could steal your tiddlywiki instance, encrypt it, and hold it for ransom, as soon as your page loaded. Furthermore, this method of attack does not have to be downloaded. It can be pasted in a TiddlyWiki, saved, and then anyone who visits that TW will be infected. Someone let me know that this, is, indeed, a security flaw. Meanwhile I will let the Github devs know. -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/f5c67847-fa09-4c02-9f32-b63aa874d44dn%40googlegroups.com.
