There has been some very clever attacks lately, especially involving browsers and the kind of data they can leak when probed the right way. The biggest press recently was generated by the history leak that occurs in most browsers.
Another clever attack that got some coverage lately was tabnapping and the latest is another fascinating way to lift information from browsers using the auto-complete feature.
It’s good to see these kind of attacks, when you think about technically how they operate – they are fairly simple. But in saying that it takes a leap in logic to even get to the point where you can start coding for something like this.
The Internet Explorer, Firefox, Chrome, and Safari browsers are susceptible to attacks that allow webmasters to glean highly sensitive information about the people visiting their sites, including their full names, email addresses, location, and even stored passwords, a security researcher says.
In a talk scheduled for next week’s Black Hat security conference in Las Vegas, Jeremiah Grossman, CTO of White Hat Security, plans to detail critical weaknesses that are enabled by default in the browsers, which are the four biggest by market share. The vulnerabilities have yet to be purged by the respective browser makers despite months, and in some cases, years of notice.
It seems all 4 of the main browsers are susceptible to this, although the implementation varies slightly for each browser. Hacking wise that’s not a big problem as you can just do a user agent string identification when the user lands on the malicious page and serve them up with the relevant info grabbing script for their browser type.
The worst case scenario is if this flaw allows malicious pages to gather user passwords that are stored in the browser, combined with the ability to probe the browser to see which sites they have visited..it could multiply into a quite accurate and potentially dangerous attack.
Users who in the past have used the autocomplete features to store that information in versions 6 and 7 of IE or versions 4 and 5 of Safari will find that the information will be automatically zapped to the rogue website. No interaction is necessary other than to visit the page. Webmasters can set the input fields to be invisible to better conceal the attack.
In the case of Safari, Grossman’s proof-of-concept attack simulates a user entering various letters or numbers into the fields. In a demonstration, when the script entered the letter J under a field titled “Name,” the browser automatically exposed “Jeremiah Grossman” to the web server. Grossman said he alerted Apple to the vulnerability on June 17, but received no reply other than an automatic response saying his message had been received.
“I would never have talked about this publicly if Apple had taken this seriously,” he told The Register. “I figured somebody else must have found this before because it’s so brain-dead simple.” When he sent a follow up query “I never heard anything back, human or robotic.”
Tricking IE 6 and 7 into coughing up the autocomplete details works in a similar fashion, but instead of simulating the entering of numbers or letters into a field, Grossman enters a user’s down arrow twice and then the enter key to extract the stored information. If more than one record is stored in that field, the script will repeat the process so they can be lifted as well.
Another neat trick is the ability to erase all cookies on a users computer, not really dangerous but certainly annoying. The trick is to spawn more cookies than the browser can handle (about 3000 for Firefox) so the browser will delete all older cookies. The PoC for this takes about 2.5 seconds!
It’ll be interesting to see the whole talk at BlackHat.
Source: The Register