With crossdomain.xml a site owner may configure a policy to stating which off-domain sites are allowed to read its data (or parts thereof) and the client, Flash in this case, is responsible for enforcement. This feature paves the way for more rich client-side applications. Crossdomain.xml policies are also extremely flexible allowing websites to be defined by IP, domain, subdomain, or everyone (*) under the sun. And this is one area where we potentially run into trouble.
When a hostname is included in the circle of trust you allow them to read all data on the site that the user has access to, this includes any (authenticated) content and (session) cookies. So should a malicious attacker or website owner gain control of a website in the circle of trust (via a server hack or XSS), then they feasibly can compromise user data off that domain. This could easily leads to privacy violations, account takeovers, theft of sensitive data, and bypassing of CSRF protections (grabbing the key ahead of time).
With this understood I was curious just how many prominent websites are actively using crossdomain.xml and generally how they are configured. For sampling I combined the “www” hostnames of fortune 500 with the Global Alexa 500. Of the 961 unique websites in all (and keeping the results to myself for now)…
- 28% have a crossdomain.xml policy file of some type.
- 7% have unrestricted crossdomain.xml policy files.
- 11% have *.domain.com restricted crossdomain.xml policy files.
Now if I may take things just one step further because these types attacks can scale far easier and become more damaging that it might first appear. We've already seen several cases where Flash-based advertising is poisoned through an upstream CDN provider eventually leading to the exploitation of users browsers. These attacks are spotted because they take advantage of a well-known vulnerability, load malware detectable by A/V signatures, and detectably compromise a machine. But let's say they didn't do that and instead attempted something subtle.
What an attacker could do is purchase some flash-based advertising delivered anywhere on a domain inside a circle of trust (*.domain.com). Instead of using traditional malware exploits they’d force an innocent looking and invisible cross-domain request on behalf of the user. This request could easily steal session cookies, read your Web email, spam email for that matter, access your social network, and the list goes on and on. Not only would this be inexpensive, but also extremely difficult to detect because everything would appear legit. As I say this, I can’t help but wonder if it hasn’t happened already and we just haven’t realized it. We’re all so used to blaming online account compromises on trojan horse, that we haven’t stopped to consider or investigate other possibilities.
thanks to Russ McRee for blog title and content assistance.