Skip to content

iFrames Bypass Origin Checks for Tauri API Access Control

Moderate severity GitHub Reviewed Published May 23, 2024 in tauri-apps/tauri • Updated May 23, 2024

Package

cargo tauri (Rust)

Affected versions

< 1.6.7
>= 2.0.0-beta.0, < 2.0.0-beta.20

Patched versions

1.6.7
2.0.0-beta.20

Description

Impact

Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the dangerousRemoteDomainIpcAccess in v1 and in the capabilities in v2.
This bypasses the origin check and allows iFrames to access the IPC endpoints exposed to the parent window.

For this to be exploitable, an attacker must have script execution (e.g. XSS) in a script-enabled iFrame of a Tauri application.

Patches

The patches include changes to wry and the behaviour of Tauri applications using iFrames. Previously, we injected the Tauri IPC initialization script into iFrames on MacOS, which was unintended. This is now also disabled to be consistent with all other supported operating systems.

This means that the Tauri invoke functionality is no longer accessible from iFrames, except on Windows when the origin of the Tauri window and the origin of the iFrame are the same.

We have also added a new protection mechanism to the IPC layer to protect against iFrames directly using the WebView IPC functionality (e.g. via window.ipc.postMessage).
This introduces an invoke key (__TAURI_INVOKE_KEY__) which is used to prevent frames that have not been initialized by the Tauri core from sending messages to the Tauri IPC.
This key is not used to protect against compromised Tauri windows or WebViews and is only intended to block IPC access from sub-frames.

Unauthorized messages to the Tauri IPC from an iFrame or other non-initialized context will log a warning and the potentially malicious IPC call will be ignored.

Workarounds

These workarounds should only be considered if you are unable to upgrade to the patched Tauri version in time.

As a workaround for v1 Tauri applications, we recommend using a dedicated window for untrusted origins instead of iFrames, or disabling script execution within the iFrame.

For v2 Tauri applications targeting Linux, it is possible to use either a dedicated window or multiple WebViews in the main window to simulate iFrame behavior.
On other platforms, it is only possible to use dedicated windows or disable script execution inside the iFrame, as described for v1.

References

If you have any questions or comments about this advisory:

Open an issue in tauri or
Email us at [email protected]

The original submissions from the reporter:

Context

This is following up on the comments here: tauri-apps/tauri#8316, and here: https://discord.com/channels/616186924390023171/1227969106091966475. I was asked to submit my findings as a vulnerability report.

Firstly, thank you to all of you from the core team that helped out and guided me through understanding this issue! Huge fan of Tauri, and I'm excited to see it succeed!

Summary

In short, any iframe you add in your Tauri frontend will get access to Tauri APIs, even in isolation mode.

Any embedded iframe that you don't own will be able to invoke the same APIs your app does. While isolation mode allows for finer grained control of what Tauri APIs can be called, it is not possible to determine if a request is coming your own app, or from a potentially malicious iframe.

This means your app could be open to malicious iframe being able to execute any command your app can, and there doesn't seem to be a mechanism to filter these out.

Details

I'm not an expert in Tauri source code, so I can't be sure I'm on the right track here, but I assume this has to do with how the webview is bootstrapped with the Tauri APIs.

I know there's various handlers that get set, such as opening target="_blank" links via a shell command, and of course setting invoke and other such APIs. Sounds like the issue is somewhere there and the APIs are being injected where they shouldn't.

Technically it seems that an attacker couldn't actually receive a response from the command it executes. Tauri IPC can't route the response back to the invoking iframe, but the action is still executed, with the response just being dropped. You see these messages in the logs:

[Warning] [TAURI] Couldn't find callback id 3399436348 in window. This happens when the app is reloaded while Rust is running an asynchronous operation.

PoC

Repository with reproduction steps: https://github.com/begleynk/tauri-sandbox-iframe-escape-poc

Building on that POC, here is a video of a Codepen iframe running inside an isolation mode Tauri app, invoking the same "Greet" command the frontend is invoking.

https://github.com/tauri-apps/tauri/assets/1065208/8efd5f9d-3116-4068-b98b-6ace7de9261c

This is done with the following code running inside Codepen:

window.__TAURI_INVOKE__("greet", { name: "From CodePen" })

Impact

Valid commands with potentially unwanted consequences ("delete project", "transfer credits", etc.) could be invoked by an attacker that controls the content of an iframe running inside a Tauri app.

References

@tweidinger tweidinger published to tauri-apps/tauri May 23, 2024
Published to the GitHub Advisory Database May 23, 2024
Reviewed May 23, 2024
Published by the National Vulnerability Database May 23, 2024
Last updated May 23, 2024

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L

EPSS score

0.043%
(10th percentile)

Weaknesses

CVE ID

CVE-2024-35222

GHSA ID

GHSA-57fm-592m-34r7

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.