It's important with any app, but especially desktop apps, to load all external content over a secure connection. If you use an insecure connection it's trivial from someone to perform a man in the middle (MITM) attack and inject their own content. In my proof of concept I MITM my own machine locally, but it's important to understand that this attack can be pulled off by anyone inbetween the user and the destination server. For example, anyone on the same WiFi or LAN, an employee at an ISP or data center, or any malicious party inbetween.
The BarterDEX GUI loads a webfont stylesheet (http://fonts.googleapis.com/css?family=Open+Sans) over an insecure connection. You can perform a MITM attack and inject arbitrary CSS that will be rendered by the app. Example below:
This isn't an XSS vulnerability because you can't inject JavaScript, only CSS. However it's not just limited to visual defacing like in my PoC, you can get pretty creative with CSS and still pull off some scary attacks such as:
- Read data from the page
- Steal CSRF tokens
- Implement a keylogger
- Trick users into clicking whatever you want
Sources:
- https://github.com/maxchehab/CSS-Keylogging
- https://github.com/dxa4481/cssInjection
- https://portswigger.net/kb/issues/00501300_css-injection-reflected
- https://curesec.com/blog/article/blog/Reading-Data-via-CSS-Injection-180.html
The external stylesheet should be loaded over a secure connection.
Fixed in this PR: KomodoPlatform/BarterDEX#241