Scroll to Text Fragment (STTF), a feature that can be used to directly browse to a specific text fragment on a webpage, can be exploited to leak sensitive user information, a security researcher has found.
The exploit, discovered by SecForce’s Maciej Piechota, uses CSS selectors to extract information from the web page and send them to a server controlled by the attacker.
Users can use the STTF feature by using the ‘#:~:text’ identifier and appending a text string to the URL of a webpage. If the string exists on the page, the browser will directly scroll to it and highlight the relevant section.
Exfiltrating data using STTF
“I received a link from a friend which included Scroll to Text Fragment and I started wondering how the highlighting is done on the successful scroll and if it could be customized somehow,” Piechota told The Daily Swig.
STTF uses a special CSS directive to highlight the target text. Piechota found that if a page has a CSS injection vulnerability, an attacker can manipulate style specifications to cause the browser to send data to an attacker-controlled server through attributes that support the ‘url’ function.
“This issue is an example of malicious misuse of a feature, rather than a vulnerability,” Piechota said.
In his write-up of the exploit, Piechota details three different kinds of attacks using the STTF feature. In one proof of concept, the adversary sends a specially crafted URL that reveals to the attacker’s server whether the target is an administrator.
“All of attacks target and can exfiltrate data that is visible on the currently browsed website by the victim,” Piechota said.
STTF was designed with security features to prevent the exfiltration of secret/random data. It also requires user interaction to avoid automated attacks.
Attackers can circumvent some of these safeguards by exploiting the victim’s lack of security awareness via social engineering. Piechota also discovered that an attacker could exploit browser extensions such as adblockers to imitate user clicks, which is needed for the STTF feature to work.
One of the PoCs uses the STTF scheme to reveal the recovery seed phrase of the victim’s cryptocurrency wallet.
Targeted attacks
“I would say this technique is handy in two scenarios,” Piechota said. “First: when the attackers find a vulnerability on the site and want to target the administrator out of a group of all users unknown to them.
“Second: when the attacker knows the victim and needs answers to specific questions, like ‘do[es] the victim have 2FA enabled?’, or, ‘Did they receive the offer from company A?’”
According to Piechota, like many cross-site leak (XS-Leak) attacks, the STTF exploit requires some level of social engineering to lure the victim to visit the attacker’s page. “In this case even more so, as we would need to lure the victim to execute certain actions,” he said.
Piechota warned that developers should be aware that even innocent-looking browser features can be exploited by sophisticated attackers. The STTF leak shows that CSS injection bugs can lead to powerful attacks.
“For the users, it’s the same old story – think before opening a link and use up-to-date software,” Piechota said.
