Interesting security vulnerability in WYSIWYG editors

Just an FYI.

I had a report of a problem on a page which was showing 'Shoppermaster' links.

Impossible to know exactly how this happened, but I suspect a user was editing this content using a browser that had been compromised by the Shoppermaster malware. The malware looks through the code of a page, and inserts links on certain keywords.

Normally, this would only happen on page load, and only affect the user with the malware, however, in this case, I believe the malware inserted links into the html presented by the wysiwyg editor, the user had write access to the content, and saved the malware links into the code of the page, where everybody could see them.

I've never seen anything like it, but it presents a pretty amazing and troubling attack vector - what if the Malware was tweaked to recognise the URLs/patterns of the edit interfaces of major CMS software, and quietly inserted itself into the code, to be presented to all visitors.

Ouch!

Might switch to markdown!!

Sounds like they need to clean out their computer. This is where something like workflow comes in as well, to make sure content is checked before it goes live. Simply pasting links into a WYSIWYG is completely acceptable, so nothing that can really be stopped automatically. Not really a security vulnerability, more user error, or OS/Browser vulnerability. 

It's pretty bad that the content editor's computer got comprised.

It sounds like the malware could intercept and manipulate how user interacts with browser, this including any text user enters, password, bank accounts etc.

I think  you should contact that author and closes his account and get his computer checked.

It's not something a CMS could prevent.

I don't think using markdown would help much, because the malware might just replace any http urls you entered with the bad url. In worst case, the user's credentials could have already been leaked.

I've never seen anything like it, but it presents a pretty amazing and troubling attack vector - what if the Malware was tweaked to recognise the URLs/patterns of the edit interfaces of major CMS software, and quietly inserted itself into the code, to be presented to all visitors.

I suspect that's because most editors (Matrix's classic WYSIWYG editor included) use the HTML "contenteditable" attribute to turn a content container (ie. a Div) into a rich text editor. Since it's just another Div on the page to the browser, I doubt the malware in question - in which part of its payload is to change parts of text on a page into links for their site - would have the knowledge to distinguish between the two.

Of course, since the HTML inside that contenteditable Div is also the authoritative source of the edited content, if it changes links like that, then you get what you get above, it seems.

That's what I understand of it anyway. I'd probably echo Bart's concerns about potential safeguards beyond physical computer security.

Yes, as I said, it's a pretty normal routine for browser malware to alter the content of a viewed page, and the outcome is usually something like these crappy links. Usually, the user of that browser becomes aware of the presence of such an obvious problem, but some slip through.

My point was: what if someone crafted some malware to sit silently in a browser until it saw a URL pattern like /_edit, /_admin, or even /wp-admin, or any one of a dozen popular CMS platforms, sneakily inserting nasty code which was then written to the page and published to the world. I reckon it would be quite an efficient distribution method, and one you'd have real trouble testing for, and stopping.

Just thinking out loud ;-)

My point was: what if someone crafted some malware to sit silently in a browser until it saw a URL pattern like /_edit, /_admin, or even /wp-admin, or any one of a dozen popular CMS platforms, sneakily inserting nasty code which was then written to the page and published to the world. I reckon it would be quite an efficient distribution method, and one you'd have real trouble testing for, and stopping.

It's likely the malware would turn up on the radar of major anti-malware software developers, and they might warn about it even if they weren't sure what it did?