Update: just let the devs know (https://github.com/Jermolene/TiddlyWiki5/issues/5960)
On Tuesday, August 17, 2021 at 9:12:15 AM UTC-4 Finn Lancaster wrote: > Hello All, > > Following the discovery of the iframe content to execute JS in TiddlyWiki, > I began pentesting TW to find other methods of executing JS, but without > any kind of sandbox. What I discovered is that TW correctly sanitizes > <script> tags, but did not know how to deal with base64 encoded urls. > > What I was then able to do was create an auto-executing JavaScript > keylooger using this method, which is invisible to the user. Below is a > minimal-reproducible example of the code I used. > > <object > data="data:text/html;base64,PHNjcmlwdD4KdmFyIGtleWxvZyA9IFtdOwpkb2N1bWVudC5hZGRFdmVudExpc3RlbmVyKCdrZXl1cCcsIGZ1bmN0aW9uKGUpewprZXlsb2cucHVzaChlLndoaWNoKTsKYWxlcnQoa2V5bG9nKTsKfSk7Cjwvc2NyaXB0Pg=="></object> > > Try pasting it into a tiddler, and it will alert your keystrokes back to > you. What makes this more dangerous than the iframe is that it has DIRECT > ACCESS to your TW instance, so practically anything can be done. For > example, I could steal your tiddlywiki instance, encrypt it, and hold it > for ransom, as soon as your page loaded. > > Furthermore, this method of attack does not have to be downloaded. It can > be pasted in a TiddlyWiki, saved, and then anyone who visits that TW will > be infected. > > Someone let me know that this, is, indeed, a security flaw. Meanwhile I > will let the Github devs know. > -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/4bf67b64-ac9f-41a0-be7d-14dfab9b5c13n%40googlegroups.com.