
DuckDuckGo XSS vulnerability - NZSmartie
https://twitter.com/hexdefined/status/940170335093006342
======
mcintyre1994
That second link is seriously scary, how would you ever avoid falling for
that? Does anyone know how it works? Going to [https://tranquil-
bits.surge.sh](https://tranquil-bits.surge.sh) I'm guessing I'm seeing the
attacker's form, but it has duckduckgo.com/vpn as the URL and https.

Edit: If you click submit on the VPN form you get "This could have been a
phishing page." so it's definitely the attacker's form, that's crazy.

~~~
discordianfish
The problem is the XSS vulnerability. This means the attacker can run
arbitrary JS on the site, which I assume is used in the second link to modify
the form handlers to run the "This could have been a phishing page.". And yes,
that could be used to send the credentials somewhere.

There isn't anything you can do to spot this. This is on DuckDuckGo to fix and
they not responding to the report for such long time is irresponsible and not
really excusable.

~~~
mcintyre1994
They're faking the URL too though -
[https://duckduckgo.com/vpn](https://duckduckgo.com/vpn) isn't a real site or
product - it just redirects to a DDG search for vpn. The page is entirely the
attacker's, but it shows DDG's domain with https.

It looks like tranquil-bit.surge.sh redirects to [http://tranquil-
bit.surge.sh/vpn](http://tranquil-bit.surge.sh/vpn) so maybe DDG are somehow
setting the URL to whatever the u= param redirects to?

~~~
jchw
The URL faking is with the HTML5 history API. It's possible to fake any URL on
that domain because the JavaScript is executed in the context of that domain.

------
_Codemonkeyism
Wow.

"Reported in March 2017, emailed them 9 times about the issue since then.
Still unfixed as of now."

~~~
yegg
We have corresponded many times about this issue, and have made many changes
over that period.

It's not as simple as just shutting down the open proxy because we need an
open proxy to adequately protect users' privacy on our site, e.g. for image
search. It just needs to be more locked down and more obvious it is a proxy,
which we are doing right now (half done already -- CSP rolled out fully, new
domains in process).

~~~
_Codemonkeyism
\+ 1

------
yegg
We are working on further fixing this issue. We require an open proxy in some
form to protect our users' privacy, though it should be more locked down and
more obvious it is a proxy.

~~~
minitech
> We require an open proxy in some form to protect our users' privacy

Which feature relies on this?

~~~
yegg
Currently all the features that showcase third-party content on DuckDuckGo,
the biggest being image and audio instant answers.

~~~
provost
Thanks for the update and follow-up answers.

Could you comment on the "Reported in March 2017, emailed them 9 times about
the issue since then. Still unfixed as of now." claim, as it seems imperative
to the discussion?

Is there something that can be improved here? Perhaps that inbox not as
actively monitored as it could be?

~~~
yegg
We have real-time monitoring for that inbox and a 24/7 ops team. We have
corresponded many times about this issue, and have made many changes over that
period.

It's not as simple as just shutting down the open proxy because we need an
open proxy to adequately protect users' privacy on our site. It just needs to
be more locked down and more obvious it is a proxy, which we are doing right
now (half done already).

------
la_oveja
[https://ddg.gg/html/](https://ddg.gg/html/)

No fancy quick-result box, but fast as lightning.

------
slazaro
Wow. The example in the tweet would completely fool me. If you just go to the
address bar and press enter ("reloading" the page, but actually going to the
address), you can see it's just a search.

------
drake01
[https://twitter.com/hexdefined/status/940183455509262336](https://twitter.com/hexdefined/status/940183455509262336)

------
interfixus
Thank you, just the push I've been needing. As of this moment, I'm off to
ixquick/startpage, which for one thing doesn't require me to go all laid-back
and inclusive on the JavaScript, and which for another has those nifty proxy-
links.

~~~
helenius
If you just want a search engine without Javascript try
[https://duckduckgo.com/html](https://duckduckgo.com/html)

Adding to Firefox is easy via [https://addons.mozilla.org/en-
US/firefox/addon/duckduckgo-ht...](https://addons.mozilla.org/en-
US/firefox/addon/duckduckgo-html/)

~~~
interfixus
That's one trick I had somehow missed. Mind you, that's _extremely_ barebones,
not as much as a link to any image-search or options.

------
NLips
Can someone explain what I'm seeing? As far as I can tell, both those links
really do leave me on DDG webpages. The only requests according to firebug are
to duckduckgo.com. What am I missing (or has this since been fixed)?

~~~
yegg
It has since been fixed.

------
t0mek
There's a typo in the title - it should be "XSS on DuckDuckGo"

