Just tested. Seems to work in Chrome content scripts but not Firefox. Code at https://fromwhenceitca.me/ExternalInterface/ …
-
-
Replying to @Allan_Wirth @taviso
ExternalInterface.addCallback allows arbitrary return objects. Unfortunately form trick only allows one array/item access from the global :(
1 reply 0 retweets 1 like -
Replying to @Allan_Wirth @taviso
Also looks like, if you http://ExternalInterface.call in a callback called from content script, you're NOT in the isolated world.
1 reply 0 retweets 1 like -
Replying to @Allan_Wirth
You've lost me, and your files all 403. how do you make a content script use http://ExtenalInterface.call without XSS? (i.e. already won)
1 reply 0 retweets 0 likes -
Replying to @taviso
Oops, perms fixed. The stack going from content script world to other isn't a security issue, more just unexpected and strange.
1 reply 0 retweets 0 likes -
Replying to @Allan_Wirth @taviso
The addCallback working on HTMLObjectElement from isolated world in Chrome though probably is useful for exploiting some bugs like the

2 replies 0 retweets 1 like -
Replying to @Allan_Wirth
Ahh, I see, that is interesting. I didn't believe it would work across worlds, you're right, it does. That's...worrying /cc @0x6D6172696F
1 reply 1 retweet 2 likes -
Replying to @taviso @Allan_Wirth
That is going to make something exploitable for sure. Thanks for making the demo!
1 reply 0 retweets 2 likes -
Replying to @taviso @Allan_Wirth
Maybe this is even a bug?
//cc @arturjanc@mikewest@nasko @zetafuncti0n2 replies 0 retweets 1 like -
Replying to @taviso @Allan_Wirth and
Seems like it. Would you mind filing something? I'm sure @zetafuncti0n can fix it tonight while I'm sleeping. :)
1 reply 0 retweets 0 likes
Sure, filing it now.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.