XSUH

Athos

2010-07-11 22:45:34
Opened: 352 times

I'm afraid I've just missed the World Cup 2010 final. Doh! But I have some 4 months old news to share with you!

I reported a bug in Mozilla's bugzilla on 1st March, 2010. This bug is being NEW since then (you won't be able to access the bug as it is considered being a security issue). Three later bugs have been marked as duplicates of it until now. There's also a paper out in the wild with several advanced exploit techniques described, that was not written by me. So we are using Firefox for 4 months with a serious information leakage, that can be used to monitor our browsing habits by site owners or to improve phishing attacks. I think 4 months is enough time to wait for some progress in fixing a security bug before turning it into public, and I've not seen any such progress (the only thing happened is that the bug has got a tag that it is blocking Gecko 2.0, so it is going to be fixed in Firefox 4 that is going to arrive in November), and nobody told me to keep this a secret (I waited almost a month for an answer), so here it is. In this 4 months other people found the same bug and wrote public papers about it, and attackers may be already exploiting it, so there is no sense for me to not publish details on this topic.

As you may know, same origin policy guarantees that scripts from one site can not access information from others via client side scripts, e.g. in this blog I should not be able to see what URLs do you visit in tabs opened from this one (obviously when you click on a link, it's URL can be known but not those that you load in that tab afterwards). Cross Site URL Hijacking lets attackers access full or partial URLs of browser tabs, from opening the tab until it is closed. The only requirement from the attacker is to grab a window object in JavaScript to access it's location property.

This trick can be used to monitor a visitor's browsing habits for example to show relevant ads, but it can be also utilized for phishing attacks against sites that use different subdomains in steps of the login process. E.g. when you log into Flickr, you are redirected from flickr.com to login.yahoo.com, and after entering your ID and password, back to flickr.com. An attacker may detect these redirects and present a fake login page with an error message after the second one. When the user enters his credentials for the second time thinking he had a typo, the attacker can redirect him back to flickr. When you have a typo in your password, do you check the URL again when you see the error message?

The bug is with the JavaScript exceptions that Firefox throws when a script attempts to violate same origin policy. Some of these exceptions when converted into strings leak URL information. E.g. the "Permission denied" exception thrown when a script attempts to access the location property of a window object contains the domain part of that location property that should not be accessed! "You naughty little script, I will never-ever tell you that google.com is loaded into that window! Oppsie, wait a minute. I've just told you that!"

To avoid a phishing attack, always double-check the URL in the location bar whenever you enter your password on a site. For myself, I also turned on alerting when I'm navigated away from an HTTPS URL.

Here is my demo to show a basic exploit of this bug.

Tags: cross site url hijacking firefox opinion security xsuh

Your comment

Some HTML tags are allowed:

<a href="http://www.example.com">link</a>, <blockquote></blockquote>, <center></center>, <code></code>, <del></del>, <em></em>, <img src="http://www.example.com/picture.jpg" alt="Alternate text" />, <small></small>, <pre></pre>, <strong></strong>, <sub></sub>, <sup></sup>