Automattic: Simplenote Silverlight cross-domain policy misconfiguration

2014-04-14T15:29:06
ID H1:7571
Type hackerone
Reporter melvin
Modified 2014-05-17T19:01:03

Description

The Simplenote application publishes a Silverlight cross-domain policy which allows access from any domain.

<allow-from http-request-headers="*">
  <domain uri="http://*"/>
  <domain uri="https://*"/>
</allow-from>

Allowing access from all domains means that any domain can perform two-way interaction with this application. This policy is likely to present a significant security risk.

If a user is logged in to the application, and visits a domain allowed by the policy (any domain, in this case), then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.