The way that custom images are handled is insecure. By putting a space in the data URL of the custom image, you can start writing attributes to it.
For example:
If I load a savefile with a "customImage" element of "data:image,1 onerror=\"alert('Hello World')\"" and then make a save in any slot, the icon associated with that save would have an onerror attribute of "alert('Hello World')" that would run every time the save menu is opened.
Also, there's an angle bracket filter to make sure that savefiles containing "<" or ">" won't load, but this can easily be bypassed by using unicode escape sequences ( "\u003c" is "<", "\u003e" is ">" ).
The way that the value for Electrum Coins is displayed is also insecure, and because the angle bracket filter can be bypassed, DOM elements can be injected into the page through the "credits" element of a savefile, this also allows for code execution immediately after loading a savefile.
An example payload would be: "credits": "\u003cimg src=x onerror=\"alert('Hello World')\"\u003e"
I've attached a payload I wrote that allows a user to upload and execute javascript files.
Also, don't load a save file if you're not 100% sure you can trust it. I only added this file since I'm not great at explaining things, it's so the devs can read through it, and hopefully, it will help be helpful.
For example:
If I load a savefile with a "customImage" element of "data:image,1 onerror=\"alert('Hello World')\"" and then make a save in any slot, the icon associated with that save would have an onerror attribute of "alert('Hello World')" that would run every time the save menu is opened.
Also, there's an angle bracket filter to make sure that savefiles containing "<" or ">" won't load, but this can easily be bypassed by using unicode escape sequences ( "\u003c" is "<", "\u003e" is ">" ).
The way that the value for Electrum Coins is displayed is also insecure, and because the angle bracket filter can be bypassed, DOM elements can be injected into the page through the "credits" element of a savefile, this also allows for code execution immediately after loading a savefile.
An example payload would be: "credits": "\u003cimg src=x onerror=\"alert('Hello World')\"\u003e"
I've attached a payload I wrote that allows a user to upload and execute javascript files.
Also, don't load a save file if you're not 100% sure you can trust it. I only added this file since I'm not great at explaining things, it's so the devs can read through it, and hopefully, it will help be helpful.
Last edited:
