Saturday, January 26, 2013

Identification Attacks on Google

UI Redressing Mayhem: Identification Attacks and UI Redressing on Google Chrome

by Luca De Fulgentis,
December 31st 2012

The Google Chrome web browser seems to have defeated any extraction methods, denying the use of the view-source handler and disallowing cross-origin drag&drop. Despite these adverse conditions, I identified some attack scenarios where a UI Redressing issue could be still performed in order to extract sensitive data. Once again, the method is extremely simple. Instead of a cross-origin drag&drop, the victim is tricked to perform a same-origin action, where the dragged content belongs to a vulnerable web page of the targeted application and the "dropper" is a form (text area, input text field, etc.) located on the same domain. Using a site's functionality that allows publishing externally-facing content, it is still possible to extract information. Under these circumstances, Chrome will not reasonably deny the same-origin drag&drop, thus inducing the victim to involuntary publish sensitive data. As a matter of fact, the attacker is exploiting a subsequent clickjacking vulnerability on the same domain, which causes the publication of the personal information. I refer to this kind of attack chain as a "bridge" that allows the attacker to move sensitive data from being private to public, while remaining on the same domain. Then, the attacker can simply access the (now) public information to obtain the extracted data. It should be outlined that the technique requires two vulnerabilities: a web resources that is not protected by the X-Frame-Options (or uses a weak frame-busting code) and a site's functionality that is affected by clickjacking.

The following list summarizes a series of functionalities that could be abused to extract the sensitive data:

  • Forum's post mechanism;
  • "comment this item" functionalities;
  • Public profile information updating function (or any "update function" that involves public available data - e.g. administrative functions that cause the updating of the web site's content);
  • Messaging functionalities (e.g. from the victim to the attacker);
The proposed method has been successfully applied against Google Chrome version 23.0.1271.97, targeting the Amazon web application. Amazon exposes a series of web resources that include user's data - such as the name, e-mail address, mobile number and "address book" details - that are not protected with both X-Frame-Options header or any frame-busting mechanism. As an example, the following vulnerable URL includes Amazon's user first name, last name and e-mail address:
A second issue on the comment function - our "bridge" - can be abused to publish the user's information as a comment for an Amazon item (e.g. a book), previously known by the attacker, and whose comments are "monitored". The following steps summarize the exploitation phases:
  1. The exploit frames both the vulnerable URL and the comment form of a attacker-chosen Amazon's book;
  2. The victim is triggered to drag his data and drop the information to the framed comment form;
  3. A clickjacking attack is then performed against the "Post" mechanism, in order to publish the dropped data;
  4. At that point the attacker can access all personal details by simply visualizing the submitted comment of the Amazon's item.
The exploit code can be download here, while the following is a video of the described attack:

See Video:

See Video:

Original Page:

Shared from Pocket


No comments:

Post a Comment