![]() ![]() This has made it much easier for users to find intriguing people to connect with. Thanks to services such as our chatting with stranger feature which enables males to talk to female strangers online. Users may now quickly discover interesting people and chat with strangers anonymously. This is largely attributable to the rise in popularity of websites like MeetYou and omegle. Because of the rise in popularity of websites and apps like omegle and others that give users the ability to communicate with complete and absolute strangers, talking to completely unknown people from other countries has become a more common pastime among younger people in recent years. Participate in random discussions with total strangers by using our talk to stranger chat rooms. With the help of our totally free online chat rooms, you are able to have conversations with complete strangers in a way that is both easy and private. There is a caveat however - you need to enable JavaScript in the "Smart search field" in the developer menu.Talk to strangers online in our free to use chat rooms that let you talk with stranger girls & boys anonymously without sign in. When you've clicked the link you get a server error message, but hitting refresh will execute the JavaScript in the context of "safari-resource". When you hover over the above image, Safari will allow you to click it in the quick look menu. After many more attempts I optimised the payload: That means when you refresh, the JavaScript URL will be activated. What was happening? Safari was visiting a HTTP URL, but stripping the protocol which left the JavaScript protocol. I then tried to make the JS URL look more like a regular URL: This also failed, but then I tried this: That seemed to be clickable but I couldn't find the server message, and the URL bar was showing the JavaScript URL. This was parsed and the quick look menu showed, but didn't allow you to click the URL. The first thing I did was to try and make the JavaScript URL look like a protocol: javascript://alert(1).com Although JavaScript URLs didn't work, I started to look for ways to bypass this restriction. So you could embed a XSS payload inside an image, and Safari would happily parse it and allow you to click it. I then tested to see if it would allow query string parameters. ![]() The first thing I tried was to see if protocols were recognised - it seemed to allow http and https, but not javascript or file. So, I decided to use Photoshop and do some manual testing. ![]() Normally I'd fuzz the URLs but this was quite difficult because you had to hover over the image and click a menu, which made fuzzing awkward. Naturally, we then started investigating what kind of URLs it would recognise. Any image you upload to any website can now embed a URL on Safari! What was happening was because the Amazon logo had an arrow underneath, it was breaking the OCR - this then resulted in the URL being parsed as Zon.com. This is a Safari feature, it attempts to parse URLs in images. I loaded up Safari and hovered over the image, then a "quick look" menu popped up and gave a link to ! So I loaded up Photoshop and made an image that had in it. His first questions to us - "Have we been hacked? Why on earth is this URL showing on our homepage?!"Īfter some investigation with dev tools we didn't find anything out of the ordinary. To our shock, it showed a link to "Zon.com". He came over to us, loaded our homepage on Safari and hovered over the Amazon logo. Ric (one of our designers) noticed some suspicious behaviour on our website. This all started with the mysterious arrival of 'zon.com' on our company homepage. This means you can link any image to an external website - and Safari might already be sending your users to unintended destinations. Every image is potentially a URL on Safari, thanks to over-enthusiastic OCR (Optical Character Recognition). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |