3

The Status Bar in Orion is vulnerable to ASCII Smuggling.

In Chrome and Safari/STP, the status bar correctly shows the attempt as ASCII Smuggling on this webpage:
https://embracethered.com/blog/posts/2024/m365-copilot-prompt-injection-tool-invocation-and-data-exfil-using-ascii-smuggling/

Steps to reproduce:

  1. Enable the status bar (View -> Show Status Bar).
  2. Visit https://embracethered.com/blog/posts/2024/m365-copilot-prompt-injection-tool-invocation-and-data-exfil-using-ascii-smuggling/
  3. Go to the "An Example Link With Hidden Data" section and hover over the https://wuzzi[.]net/ link.
  4. Orion cuts off the ACSII characters after https://wuzzi[.]net/

Contrasted with:

  • Chrome 128:

  • Safari/STP:

Orion matches Firefox in how the hover is rendered, but it should instead match Chrome/Safari/STP.

Version 0.99.128.2.1-rc (WebKit 619.1.11.111.2)

Sonoma (14)

    I guess it's more accurate to say the status bar doesn't render all Unicode tags. Makes my hover technique to check malicious URLs not effective.

      a month later
      17 days later
      No one is typing