Bypassing SOP and shouting hello before you cross the pond


“Don’t shout hello before you cross the pond” is a Swedish saying meaning you shouldn’t celebrate until you are absolutely certain. Yesterday I did just that after finding a partial SOP bypass.


It started with me noticing that you could access malformed hostnames in Firefox (on OSX), the URL “” would load and send “” in the Host header. I then tried adding characters after the leading dots, and “” also worked.


Instantly I knew this meant SOP could be bypassed, because Flash would treat “” as under “*” while Firefox would treat it as under “”. This meant that we could bypass SOP for any site containing a crossdomain.xml file allowing “*”.


At this point I checked Alexa top 10000 and confirmed 7% was exploitable. I made a PoC for


SOP Bypass

Aftermath of going to


To make sure the bug wasn’t only on my machine I asked a co-worker to try it out in his VM. Yep, that worked. Finally, I updated Firefox to the newest version and the bug was still there. In my excitement I hinted on twitter about what I’ve found and started planning disclosure and writeup. Bug = Verified, right?


Not so fast. The mistake was that I didn’t update the OS to the newest version. Later when I did, the bug was dead. After some digging I came to the conclusion that it was fixed when CVE-2015-3755 was patched (6 months ago).


CVE-2015-3755 was reported as an URL spoofing bug by xisigr, and his writeup can be found at Updating to OSX Yosemite 10.0.5 or OSX El Capitan will fix this bug.


To sum up:

  1. Always verify bugs on updated software and OS.
  2. CVE-2015-3755 can be used for SOP bypass
  3. Don’t shout hello before you cross the pond



Mathias Karlsson

Security Researcher