The time I found a persistent DOM XSS on DuckDuckGo

In the summer of 2020, I found a not-so-interesting but impactful XSS on the DuckDuckGo search engine. I looked into the security of their Cloud Save feature, which lets you have your preferences (colour scheme, styles etc.) saved and then restored in a privacy-friendly way using a passphrase. The passphrase gets hashed and is used as an API key to access them.

I enumerated all the possible options you can save in the preferences object and found two interesting ones. It soon turned out they were indeed vulnerable! You saved a simple DOM XSS payload via Cloud Save and when you tried to restore you got XSSed. And the best thing is… you got XSSed permanently because the malicious options were saved to your cookies and executed every time you opened the page.

This is how the Cloud Save was set up:

POST /settings.js HTTP/1.1
Host: duckduckgo.com
Content-Length: 248

{
    "command":"write",
    "objectKey":"bb6e45e894d7b1f3a2619df967be873b15f8eccd55d3a729f58429b59f72431e4fd4b736a0ae5cf74933bcb5136103e1c09664972b3c489d1b682f08ce0703ff",
    "obj":{
        "kp":"\"><img src=/ onerror=alert(1)>",
        "kae":"\"><img src=/ onerror=alert(2)>"
    }
}

But I hear you ask, how do you force someone to apply your malicious Cloud Save preferences? Well, that’s easy enough, DuckDuckGo has a parameter for that. You just put the key of the Cloud Save in the key parameter like https://duckduckgo.com/?q=s&key=KEYHERE and it gets applied immediately.

However, there was an annoying (and challenging) limitation. The length of the option value, and thus the payload, was limited to 30 characters. That is not a lot, but still can be abused.

See the original report for more details.