Category Archives: FireFox

Webcam spying with Chrome

tl;dr;

Browsers doesn’t handle webcam permissions well enough. Users should be extremely wary about what’s going on in their browser. From a list of 30 bugs submitted to google regarding that issue, most have been fixed, but some are still alive.
The most obvious bug which is still live and kicking in all of the browsers is PopJacking which is  – clickjacking using popups. This flaw can be abused to trick users into allowing malicious access to their webcam, for example.

Video of the 5 POCs is here

Full text

More than a year ago (6.6.2014) I submitted a list of ~30 security bugs regarding the way Chrome handle WebCam access . These bugs were also regarding the way Chrome handled almost all other kind of special permissions. From webcam/mic access to location.

Some of these were related to bugs and bad implementation of popups and abusing it in relation to webcam access.

Yesterday Google made my bug report public so I figured it’s about time I’d share my findings (all of these links and info were private until now):

This is the original post I privately sent to Google, it has the info

A video with 5 different POCs

The POC and source code

The bug thread on google

While Google fixed most of these bugs some of these are still unfixed. But, even these who were fixed are not fixed good enough and are still vulnerable to PopJacking. Meaning, an attacker can still trick a user to allow webcam access – pretty easily.
PopJacking is merely clickjacking using a popup – probably the most overlooked flaw in browsers since clickjacking.

Another side note here is about Google behaviour regarding this bug:
At first they seemed thrilled about it, but than it took them almost a year to fix most of it. Only to eventually declare it as “Wontfix”.
One of the bug I submitted was opened as a different private bug  but, anyone can easily figure which one it is from the conversation in the currently opened bug thread.

From the way Google dealt with this bug and some other security bugs myself and others have submitted, it’s clear that Google will greatly prefer to dismiss security bugs as “Wontfix” or “not a bug”. Anything other the RCE or XSS will have difficulty to fit in.
I’m pretty sure that something like Clickjacking would have been immediately dismissed, only to realise afterwards the mistake that has been done.
More on that with some examples in a latter post.

So are we safe now?

– No.
It’s still too damn easy to trick a user to allow something like webcam access, and that’s valid to other browsers not just Chrome. Be extremely wary of where you click and what’s going on in your browser at all times. The indication that a website is accessing your camera is not clear enough – you gotta be wary. (FireFox indication is much better, btw)

Popups are evil

Beside the specific security bugs in popups and the way it can be exploited for PopJacking.
I would argue that there is not even one legitimate use of browser popups in term of user-experience.

Browser vendors should just kill popups all together, forever.

 

The never ending browser sessions

tl;dr;

The concept of session memory is not valid anymore in today’s browsers. Even sessionStorage is not cleared after closing the tab. It’s easily revived when clicking on “Reopen closed tab”. That might seem as a bug – not if you look at the spec which is rather permissive, maybe too much.

So what’s the problem really?

Imagine you login to your bank website from a trusted 3rd party computer.
When you’re done, you simply click the X button to close the site assuming that you’re session will be done. This used to be true for many years, since it was common for critical websites like banks to store the authentication token in a session-cookie.
And session cookies, as the name implies are gone when the session is gone. The problem is that with tab browsing, and browsers running in the background that session might end long time after you clicked on the X.
This means that most of the time, anyone accessing that computer after you, will be able to continue where you left – logged in as you.

sessionStorage to the rescue? – not really

So if session-cookies are not good enough, what about that shiny sessionStorage?
It’s isolated per tab and cleared when that tab is closed.
It must be good – you click the X and it’s gone.
Well almost…
In Chrome and Firefox the session storage is easily revived with right click and “Reopen closed tab” and “Undo close tab” respectively.

This strange and unexpected behavior of the sessionStorage is still complying with the spec which is somewhat over permissive:
“The lifetime of a browsing context can be unrelated to the lifetime of the actual user agent process itself, as the user agent may support resuming sessions after a restart.”

We can argue whether this is a bug or not, but it’s definitely a bad feature and should be mitigated. We should have real session storage which we can trust to be cleared when we click on the “X”. Without unreliable tricks like onbeforeunload and alike.

Here’s a demo, close the tab and reopen it with “Reopen closed tab”  – the sessionStorage will be revived.

While Chrome and FireFox are acting badly and revive the sessionStorage, Safari and IE11 don’t revive it and are the safer browsers in that regard.

Bottom line

As a user, always always logout manually, never rely on just closing the tab or the browser.

As a developer, the only way to create real sessions that are gone when the user closes the tab is to keep anything critical in the memory and only in the memory. I’ve written more about it with examples in here.

 

Bug in Internet Explorer security model when embedding Flash

Update: I’ve posted a real world example of this bug being exploited.

This one has the same behavior on IE6, IE7 and IE8 betas.

I have only tested this with Flash swf files, but it’s likely that this security is applied and broken the same way, when navigating to different types of files.

When loading Flash file (swf) directly inside the browser without an html page container, for ex: http://example.com/game.swf , most browsers create an html page automatically and embed the swf inside it. FireFox and Google Chrome, for that matter, automatically create an embed tag with some default values, and IE uses this mshtml script (res://mshtml.dll/objectembed_neutral.js) to load the object.

The fact that this automatically created embed tag doesn’t mention the allowscriptaccess property it’s defaulted to samedomain. This way the swf file can script the automatically generated html page it resides in, using ExternalInterface, leading to a major security flaw. I will post about a real world example of this security flaw, shortly.

Internet Explorer, rightfully, consider this generated page as less secure and as such restrict access to the JavaScript document object. It’s preventing from the embedded swf to script the DOM of the page.

Just test it, go to any swf file on the web using Internet explorer, then run this script in the address bar javascript:alert(document); you’ll see the error “Access is denied”. Touching the document is prohibited!

Error_Access_Denied

But, all that is needed to compromise this security feature in IE is to reload the page. That’s it, just reload the page once by pressing F5. Run the script again javascript:alert(document); you’ll see the precious document and no error will be thrown.

Since most of the other javascript objects are still available and among these is the window native object. A swf file, for example, can reload the page on its own using window.location.reload() and then will be able to bypass the restriction and freely manipulate the page.

This script can run from inside the swf using ExternaInterface.call(“eval”, “script”); If the “try” clause fail it’s probably an IE browser and the page will reload immediately without the user noticing. The 2nd time the page loads the “try” clause won’t fail.

try{
   $d = document;
   //Mess with the DOM
}catch(ex){
   window.location.reload();
}

I was impressed that Microsoft implemented such a security feature as opposed to FireFox, Chrome and others who don’t have a similar restriction. but, it needs to be done right otherwise it misses the point.

As I said, I’ll post a real world example of this being exploited, soon.

I have finally closed all of my TABs

This happens to me once in a few months, I managed to clear all of my FireFox tabs. Read ’em all, all the stuff I “have to” read later, some wait there as an opened tab for weeks before it gets read and closed. It feels like a fresh start every time I managed to do so. Just the FireFox starting page without anything else. I’d better not go to any interesting website right now, especially not one of these aggregators that can lead to tenths of opened tabs in a minute. Lets savor the moment.

Along with some other issues like, CSRF, Tab surfing mainly hurt our time management (lake of) skills. With the old browsers, though you could have opened a lot of windows, but, it felt crowded after 10 and when it crashed and it generally did (i.e. IE), it didn’t gave you the “favor” of restoring all the windows. These days when using a browser like FF it’s easy to open tons of tabs without even noticing. The only thing that could have saved us, is the small memory leakage in FF that force us to restarts the browser every so often. Sadly enough there are add-ons like Tab Mix that will restore all of the tabs. Or what I generally do is just kill the process and launch FF again to get back all of my tabs with a clean FF memory. You can’t just lose the tabs you need to read it!

I was starving for something that will help my condition. There are lots of tab related addons for FireFox that do all kind of tricks, but look at this one I found here named, Read It Later. Look at the name, it’ll help me to, you guessed it, read it later. I don’t need my tabs to sing or be colorful I just won’t to be able to close the tabs and not feel like I’m loosing anything.

So far so good, but, will I really read these tabs later coz sometimes it’s worth it, reading later, that is. And I believe I wont because Read It Later reminds me too much of this “uber” technic I have of dragging all the links from the address-bar into a folder. This way you clear the tabs, you have it all saved, but you never even open this folder again. Read it later generates a plain list which has no appealing, and doesn’t really convince me to get back to it, especially when it gets crowded with lots of links.

Luckily there is yet another tab saver that focus on tab saving named Taboo. The obvious benefit of Taboo is that it generates thumbnails out of the saved links. Which helps to distinguish between the good saves to the lesser good ones. Taboo also can show you the saved tabs inside a calendar. For me that’s all I wont, give me the saved tab and tell me how old it is. The only thing that is missing from Taboo is that you can’t right click on a link and save it, it has to be an opened tab. And also no offline reading but who needs it anyway, just open the tabs before you go online if you ever do, go offline. Taboo adds just two buttons near the address bar, and been working fine for me so far.
Taboo buttons

There are other tab savers that try to do too much, they wonna be more then a simple tab saver, and loose their purpose by doing that. For ex. scrapbook, which do too much IMHO. Scrapbook has the nerve of adding itself in too many places and even in my FF main menu, just after my bookmark menu button. Does the Scrapbook saved tabs are equal to my main FF Bookmarks?! I don’t think so!

ScrapBook

Maybe I need to sell my Ferari, not that I own a Ferari (yet), you know, metaphorically speaking. Unplug the switch, disconnect, get a life, bring a hammer and break my laptop into tiny pieces. Wait, that’s the company’s laptop, I don’t think they’ll like that.

Anyway, this post has become quite of a rant and, I would finally say that tab surfing is a too good feature, maybe I was better off without it, but it’s here to stay and I’m not gonna quit using it so I’d better find some way to complete it. I have all of these add-ons and more still installed and I’d let you know how it’s working.