Category Archives: Security

HTML5 Mobile Apps – Injection Heaven, Security Hell

Posted on by
3

Three weeks ago Path.com was fined for stupidly stealing their user’s contact list and saving it onto their servers. Path’s doing was obviously wrong but I’m not sure that their punishment was really justified, needing to pay this enormous bribe to the FTC using COPPA as an excuse. The lesson here is to always comply with COPPA.

Anyhow, in that same techcrunch article you can also find that “The FTC also took the opportunity to introduce a new set of guidelines for mobile developers“. Although they explain early in that article that it’s not meant to be a guideline, I still feel they misses a lot.

When it comes to HTML5 apps even the simplest app can greatly compromise the user privacy and security. If we’ll take the FTC example of a simple and harmless alarm clock app, If that app is built using HTML5 its size and complexity doesn’t matter. All that is needed is one javascript injection that will pass thorough.

How will that code be injected you may ask – all that is needed is for the app to load some content from a remote server the simplest example will be the “Terms And Condition” page which is mostly loaded into a WebView. It can be a more “complex” settings, like choosing the favorite color or loading the saved alarms. Any kind of sharing will probably be way more open to be exploited, i.e. “share your favorite alarms”. Push messages might also bring malicious code. ETC’

The bottom line is that any injection of javascript will give an attacker a lot of control over the device, more often than not it’ll be persistant. HTML5 apps usually use the localStorage that is rarely flushed, and leverage native DBs and the file system. The “page” or webview is rarly refreshed, so even if the injection is not persistant it’ll be alive for a long time.
Things like stealing the user’s contact list and tracking the user location are pretty common. Enabled by default in iPhone PhoneGap for example.

It’s only limited by the native API that is opened to Javascript, generally it’s very open, even more than the PhoneGap default API. I know of at least 1 popular HTML5 app that opens almost all of the Android native API.

You see, Javascript is one tough beast – it can run almost anywhere.
Javascript was designed basically as a none important sidekick to the browser’s HTML, “it should not cause any problems by being poorly written and should fail silently and not interfere with the main thing that is HTML.” Seriously that how it was, we’re lucky it’s not case insensitive. I’m sure that back than some people though it’ll make it simpler and better.
So, Javascript will run in any dom element no matter how naive you may think it is, it will run in unexpected parts of the element without needing the <script> tag, i.e. onerror=”attack()”. It used to even run from CSS and from images, but we’re over that now asfaik in mobile browsers.

As opposed to that, it’ll take a very special case for injection to be able to execute arbitrary native code. You can make a native android app that will run anything – even get root, but I doubt that any legitimate app regularly download strings and run it as commands. (basically on rooted Android you can do exec(“su”) and everything else)

With Javascript the app does not need to be designed in any special way, an unsanitizes string will likely to execute.

These kind of injection are not the sole problem of PhoneGap based applications.
Any app that uses HTML5, even if it’s mostly native, any API that is opened to javascript can be leveraged by an attacker.

Phonegap (Cordova) has a mechanism to white list remote hosts which is really only effective on the iOS. It adds a little bit of security, but many apps anyway uses a wildecard “*” to allow all hosts. The wildcard is used by default in the phonegap cloud (saas solution to build phonegap apps)

As you can see the option for an attacker are enourmoe, all it needs is one vector of injection and there is an open path (no phan) to take over all of the devices of all of the users.

HTML5 apps that runs inside the mobile browser are also a nice target for injection attacks, althouygh it’s lacking most of the native api, there is still access to location in all mobile browsers. It’s less powerful for the attacker since it’ll prompt the user way more vigusly.
The Dolphin Mobile Browser implement the full phonegap native api, for example (which is generally a good thing), but it makes in-the-browser websites and apps more exposed to attacks.

So what to do than?!
- Sanitize sanitize sanitize all user input, server and client!

Say What, Flash is More Secure Than HTML5?!

Posted on by
3

So my favorite script kiddy and copycat, Feross (copied, note the shameless “I discovered” in his Quora post, LoL)
Found a social engineering flaw in the HTML5 fullscreen mode that can be used for phishing attacks. This time it might be even his own finding… what do you know ;)

This flaw is very much similar to the well known and very old picture-in-picture
Picture-in-Picture Phishing Attacks and Operating System Styles
More info..
IMHO the old version is still way more dangers for phishing.

So How Flash is more secure?

What enables this HTML5 fullscreen flaw to exist in his prime is the fact you have full keyboard access. This way an attacker can more easily steal the user’s credentials.
After all fullscreen was existant in Flash for many years now, yet it was never compromised this way. The main reason is that Flash is more secure is that it does not allow full keyboard interaction in fullscreen.

Good thinking Adobe, taking care our security… oh wait… Flash was added with this feature with version 11.3… after all Flash can’t be left behind…
Working demo…

Damn… but still Flash gives you a decent popup confirmation which HTML5 doesn’t

Yeah, I know Chrome give you a popup too, but you don’t have to click on it to get FULL keyboard access.
I constructed this “amazing” demo here (chrome only), as you can see you get the message but the keyboard is fully functional and accessible through javascript.

So still Flash is more secure than HTML5 – in that respect.

It takes us back to what me and other were preaching about, that with great power comes great responsibility.
HTML5 have its own flaws and the more powerful it’ll become it will get even more.

Stay tuned…

Webcam ClickJacking Revived

Posted on by
3

Two weeks ago this guy managed to revive my 3 years old Webcam ClickJacking POC and also managed to revive some of the buzz surrounding it.

The revived attack is exactly the same as my 2008 POC it even uses lots of my code. The different is that instead of using the settings manager html page as the source of the iframe it’s now uses the setting manager swf directly. Actually, this was the first thing I’ve tried after Adobe frame bust the settings manager pages. It didn’t work well for my windows browsers so I’ve ditched it. One of the first comment on my Webcam Clickjacking post created the same thing and gave a link to it (it is now links to an AD). So obviously everyone knew it or at least thought about it – everyone except Adobe.

The Flash Player provide great power on the web, it’s still the only practical mean to interact with the user’s webcam and microphone. You know the cliché, with great power comes great responsibility. Adobe needs to be vigilant when it comes to her users security and privacy, and her users are practically everyone.

Obviously that every new version of the Flash Player should go through vigorous security testing. It’s also needs to be done with every new browser and OS version. That’s a huge matrix but it needs to be done. For example, browser change the way they embed plugins which can easily leads to flaws even if the Flash Player stays the same.

Back than Adobe knew about the ClickJacking beforehand coz they were informed by RSnake and Jeremiah Grossman. They didn’t knew specifically about my POC and the way it exploits the settings manager, but anyhow they should have at least frame-bust every related page. It’s insane that in all of these 3 years no one bothered to at least Flash-bust the settings manager SWF and prevent the resurrection of my POC.

BTW, good job Feross Aboukhadijeh, my name is Guy Aharonovsky – whois is easy…

John Smith’s younger brother, Adam

Posted on by
1

Update: Youtube has revived my video. you can now watch Webcam Clickjacking as much as you like. —

Remember ClickJacking? The generic flaw in web browsers and HTML. Remember Webcam Clickjacking? My PoC showing how this flaw can be used to take control over a victim webcam and mic.

Well, my PoC, to my surprise, created a lot of buzz when I published it and the related youtube video got 1,220,966 views – most of it from its first day.

view_count

Yesterday I got an email from youtube titled “Video removed – Copyright Infringement”. At first I thought it’s just another spam mail, but looking inside it and than trying to watch my video gave me an alarming red webpage, with the bold text “This video is no longer available due to a copyright claim by Adam Smith.

WTF, what copyright shmopiright, my video has no sound and barley a screen capture of my mouse. In-fact I sometime claim it to be the most dull video with the most views.

My immediate suspect was Adobe, but it made no sense, if they wanted to, they should have done it when it was hot. Than again sense and Adobe legal dept’ doesn’t always go together. flashObject anyone?

Googleing for such a generic name as “Adam Smith” gives about 3,570,000 results, apparently it’s more generic than “John Doe”. Googleing for “Professor Adam Smith” from adobe gives some possible options but it’s still not informative enough and too vague.

So who is this MR. Generic claiming I’ve stole his precious copyrights. Maybe he’s just a fake dude trying to annoy. Even if he’s real, I guess when you have such a generic name you don’t care to be hated, nobody is gonna correlate your face with your name anyway.

Anyhow, I’ve filed a counter-notification and hopefully the video will be up again soon. Even if it won’t, I’m sure it’ll appear in some other places.

There is a lot of info regarding “my video was removed from youtube” just google it, if you need to.

There is a lesson to be learned here, one should never trust google, and alike with their important assets. It can get shut-down in an instance. Personally I don’t care much about this video, I didn’t get a dime out of it and its heydays are long gone. But, there are cases where people lost all of their income one day since google removed their blogspot hosted blog, for example.

If you want full control over your videos and such, you should be hosting it yourself, and on some remote island. Than again, they still be able to cut your cable.

I just wonder where the hell is the decentralized web?! Too few people are controlling too much stuff.

Flash Private Browsing Fixed – Not Good Enough

Posted on by
3

I was going to congrat Adobe for their fix to the private browsing in Flash, this was my original text:

I’m glad to say that Adobe has fixed the minor issue they had with the new Flash Player 10.1 private browsing. I’ve written before on how a developer can tell the user’s browsing mode.

The Flash Player that is installed with CS5 is 10.1.52.14 which still suffer from this bug. If you surf the web using private browsing mode you should update the Flash Player to the latest, currently, 10.1.53.38 (RC4). Actually you should update it anyway.

But, when I went to see what have they changed in order to fix it. I saw that both modes, now, have the same limit of 100KB, but it’s still differ. While trying to save more than 100KB in normal browsing mode the status is “pending” while in private browsing mode it immediately fails.

Making this demo functional again required changing 1 line of code. Using any Flash Player, from 10.1_beta2 till latest 10.1.53.38(RC4) should show you if you’re in private mode or not.

[kml_flashembed movie="http://blog.guya.net/wp-content/uploads/2010/05/KissAndTell.swf" width="400" height="35" /]

So, please, again, normal and private browsing modes should behave exactly the same from a developer standpoint. Making local storage limit the same 100KB was a step in the right direction, but, it’s not enough. Let any Flash content ask for more storage even if it’s in private mode and allow the user to accept it, just remember to delete the user’s choice along with the local storage.

BTW, it might be possible to trick the browsers to tell you the user’s browsing mode, using HTML5 localStorage for example, and without using Flash.

The updated source code is below:

package {
	import flash.display.Sprite;
	import flash.display.StageAlign;
	import flash.display.StageScaleMode;
	import flash.events.NetStatusEvent;
	import flash.net.SharedObject;
	import flash.net.SharedObjectFlushStatus;
	import flash.text.TextField;
	import flash.text.TextFieldAutoSize;
	import flash.text.TextFormat;
	import flash.utils.getTimer;
	import flash.utils.setTimeout;

	/**
	 * This class will tell the current browsing mode of the user
	 * Tested with Flash Player 10.1 beta 2 - 10.1.53.38 (RC4)
	 * for more info go to:
	 * http://blog.guya.net
	 */

	[SWF(backgroundColor="#FFFFFF", width="400", height="35")]
	public class KissAndTell extends Sprite
	{
		private var _tf:TextField;

		public function KissAndTell()
		{
			initStage();
			createTF();
			setTimeout(saveData, 300);
		}

		private function initStage():void
		{
			stage.scaleMode = StageScaleMode.NO_SCALE;
			stage.align = StageAlign.TOP_LEFT;
		}

		//try to save 140kb into the local storage
		private function saveData():void
		{
			var kissSO:SharedObject = SharedObject.getLocal("kissAndTell");
			kissSO.data.value = getDataString(140);

			var status:String;

			try
			{
				status = kissSO.flush();
				kissSO.addEventListener(NetStatusEvent.NET_STATUS, netStatusHandler);
			}
			catch(ex:Error)
			{
				trace("Save failed - private browsing mode");
				setPrivateText();
			}

			if(status && status == SharedObjectFlushStatus.PENDING)
			{
				trace("Pending status - normal browsing mode");
			}

			/***  Changed in the newer versions of the Flash Player 10.1 beta ***/
			//If we can save more than 100kb then we're in Private Mode
			else if(status && status == SharedObjectFlushStatus.FLUSHED)
			{
				setPrivateText();
            }
		}

		//Listening to this event just to prevent exception on debug players
		private function netStatusHandler(event:NetStatusEvent):void
		{
			trace("event.info.code: " + event.info.code);
		}

		private function setPrivateText():void
		{
			_tf.text = "Private Browsing Mode";
			_tf.backgroundColor = 0xAA2222;
		}

		private function createTF():void
		{
			_tf = new TextField();
			_tf.autoSize = TextFieldAutoSize.LEFT;
			_tf.defaultTextFormat = new TextFormat("Arial, Verdana", 20, 0xFFFFFF, true, null, null, null, null, null, 10, 10);
			_tf.text = "Normal Browsing Mode"
			_tf.backgroundColor = 0x22AA22;
			_tf.background = true;
			addChild(_tf);
		}

		private function getDataString(kb:int):String
		{
			var t:int = getTimer();
			var word:String = "GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_";
			var count:int;
			var a:Array = new Array();
			var lenNeeded:int = kb * 1024;
			while(count * word.length < lenNeeded)
			{
				a.push(word);
				count++;
			}

			var ret:String = a.join("");
			trace("time for generating " + kb + "kb: " + String(getTimer() - t) + " ml");
			return ret;
		}

	}
}

Kiss And Tell What Is The User Browsing Mode

Posted on by
7

To know if the user is currently in normal or private browsing mode can be valuable info for any ads providers and spammers, but not only.

With the upcoming Flash Player 10.1 (currently in beta 2) there are many welcome improvements. One of these is the support for private browsing as described in this article.

For me, one thing that  immediately jumped out from the aforementioned article was that, unintentionally, with the aid of the new Beta Flash Player, websites can tell which mode the user is currently using.

“…in private browsing with default settings, the default local storage limit in private browsing is 1 MB…”

“To protect user privacy, there is no way for developers to tell whether their content is handling normal or private LSOs. Flash Player handles local storage data in the same way.” No it doesn’t!

Not only I can tell about the current status of the Flash Player browsing mode, but now I can tell about the browser itself since Flash inherit its mode from the browser.

Load a small enough SWF (less than 215 x 138) so it won’t ever show the settings dialog.

Now, kiss (sorry for the cheesiness ;) ) the local storage with data greater than 128kb. If it reject the kiss then you’re in normal browsing mode, if it accept it you can tell it’s a private mode.

It’s that easy, load this blog post in Private Mode with Flash Player 10.1 beta 2 installed and you’ll see the difference:

[kml_flashembed movie="http://blog.guya.net/wp-content/uploads/2010/01/KissAndTell.swf" width="400" height="35" /]

The solution is simple, private and normal modes should behave completely the same. In this case the local storage capacity should be the same. Lower both to 128kb or up both to 1MB. Which one is better, you may ask?! I’ll tell you latter ;)

The good thing is that Flash Player 10.1 is still in beta 2 so I’m sure it’ll be fixed for by the final release.

The source code is below:

package {
	import flash.display.Sprite;
	import flash.display.StageAlign;
	import flash.display.StageScaleMode;
	import flash.events.NetStatusEvent;
	import flash.net.SharedObject;
	import flash.net.SharedObjectFlushStatus;
	import flash.text.TextField;
	import flash.text.TextFieldAutoSize;
	import flash.text.TextFormat;
	import flash.utils.getTimer;
	import flash.utils.setTimeout;

	/**
	 * This class will tell the current browsing mode of the user
	 * Tested with Flash Player 10.1 beta 2
	 * for more info go to:
	 * http://blog.guya.net
	 */

	[SWF(backgroundColor="#FFFFFF", width="400", height="35")]
	public class KissAndTell extends Sprite
	{
		private var _tf:TextField;

		public function KissAndTell()
		{
			initStage();
			createTF();
			setTimeout(saveData, 300);
		}

		private function initStage():void
		{
			stage.scaleMode = StageScaleMode.NO_SCALE;
			stage.align = StageAlign.TOP_LEFT;
		}

		//try to save 140kb into the local storage
		private function saveData():void
		{
			var kissSO:SharedObject = SharedObject.getLocal("kissAndTell");
			kissSO.data.value = getDataString(140);

			var status:String;

			try
			{
				status = kissSO.flush();
				kissSO.addEventListener(NetStatusEvent.NET_STATUS, netStatusHandler);
			}
			catch(ex:Error)
			{
				trace("Save failed");
			}

			//If we can save more than 128kb then we're in Private Mode
			if (status && status == SharedObjectFlushStatus.FLUSHED)
			{
				setPrivateText();
            }
		}

		//Listening to this event just to prevent exception on debug players
		private function netStatusHandler(event:NetStatusEvent):void
		{
			trace("event.info.code: " + event.info.code);
		}

		private function setPrivateText():void
		{
			_tf.text = "Private Browsing Mode";
			_tf.backgroundColor = 0xAA2222;
		}

		private function createTF():void
		{
			_tf = new TextField();
			_tf.autoSize = TextFieldAutoSize.LEFT;
			_tf.defaultTextFormat = new TextFormat("Arial, Verdana", 20, 0xFFFFFF, true, null, null, null, null, null, 10, 10);
			_tf.text = "Normal Browsing Mode"
			_tf.backgroundColor = 0x22AA22;
			_tf.background = true;
			addChild(_tf);
		}

		private function getDataString(kb:int):String
		{
			var t:int = getTimer();
			var word:String = "GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_";
			var count:int;
			var a:Array = new Array();
			var lenNeeded:int = kb * 1024;
			while(count * word.length < lenNeeded)
			{
				a.push(word);
				count++;
			}

			var ret:String = a.join("");
			trace("time for generating " + kb + "kb: " + String(getTimer() - t) + " ml");
			return ret;
		}

	}
}

Has my blog got hacked again?!

Posted on by
Reply

I was checking my email when all of a sudden I saw this email “New WordPress Blog”. I didn’t remembered adding, updating or doing anything with my blog. I thought about it yesterday though. Could it be that WordPress is so smart and read my mind.

Something was fishy, I’ve already experienced the fact the WP can be hack-able sometimes. I rushed to backup and remove the blog, before the hackers will start messing with me and my visitors.

I was already FTPing when it came to me, even if it was really hacked no need to rush about it, I’ll try to find out what happened.

And indeed google gave the quick answer that if the option database table get corrupted, somehow it gets, WP behave as a new install.  You only need to repair it from the phpMyAdmin, that’s it %)

Anyway it’s time to redo things in my blog, but without the rush.

The moral is always “google it” before you jump to any assumptions.

The biggest terrorists in the world are… Flex bloggers

Posted on by
8

Adrian Parr, a Flex blogger mostly known for his post listing of AS3 frameworks got hacked by some political lamers. The whole blog is replaced with common and lame hacker page. The allegedly hackers came from this Arab security forum, m4r0c-s3curity.cc.

What is the relation of this blog to your “war on terror”?! Leave your political BS where it belongs.

Google Hackathon was hacked

Posted on by
3

Two days ago, the first Israeli Google Developer Day was held. It was a colorful and interesting event, to the best of google tradition.

Yesterday, all attendees got an email saying that an unauthorized network activity was detected.

“We identified unauthorised activity on the public wired Ethernet network which was provided by the convention centre for conference attendees to access the Internet.”

Beside the interesting lectures there were two code-labs or hackathons going on. The first thing that came to my mind when I saw everyone are connecting their laptops, wirelly and wirelessly, is that someone will abuse this for some king of Man in the middle attack. But for some reason I thought that since it’s google, they won’t let something like this to happen.

Just minutes before, I asked the google experts over there, which are very nice and professional in there own fields, about the GMail Frame Injection issue. I wasn’t accusing anyone just trying to raise a discussion about it. It seemed that no one knew about it and no one really cared. The suggestion I got was that I should report this somewhere in the GMail website. But, it’s already been reported, I protested.

I should have understood by this, that security isn’t the first priority of these uber geeks.

Maybe we’re expecting too much from google, they’re just the greatest company they’re not gods.

Anyhow I wasn’t hurt by this since I don’t transfer sensitive non encrypted data in these kind of places. And it might be that google is just covering themselves just in case someone got hurt. And most users weren’t really affected.

On a side note, I’ve allowed myself to “analyze” the google dev crowd, I’d expected them to be in higher level then, for example, the Microsoft crowd.

Indeed, in a rough inclusion, the google crowd is much geekier and also much more nerdish, as opposed to the Microsoft crowd, especially here in Israel :D . It can be said that MS is much more approachable and that they create tools that anyone can use, or that MS is aiming to the lowest common denominator, or that everything is political. I don’t care. All I know is that I don’t feel belonging to any of these. The google crowd is too smart nerdish and MS crowd is too… how to say it politely… too stupid common.

I’m somewhere in the creative outskirt, I’m in the Flash crowd :)

P.C. Not that it’s anything wrong about it to be a common .Net developer, a lot of my best friends are .Net developers ;)

Malicious camera spying using ClickJacking

Posted on by
104

Update: Adobe has fixed this issue by framebusting the Settings Manager pages. Now, 99.9% of the users are protected from this specific exploit. Congrats on the fast response. —-

Turn every browser into a surveillance zombie. The wet dream of every private eye and peeping tom. Imagine this scenario, you play a short game on the web and by doing that you unknowingly grant someone full access to your webcam and microphone.

I’ve made a live demo of it in here, this demo won’t listen or record any of your input.

If you don’t want to try it or don’t have a webcam connected, then check out the video.

[kml_flashembed movie="http://www.youtube.com/v/gxyLbpldmuU" width="450" height="376" /]

When I’ve first heard about ClickJacking and how Adobe is concerned about it, I thought that the Flash Player Security Dialog must have been compromised. But the Security Dialog does a good job disabling itself when you try to mess with it’s visibility through DHTML. Unless there’s some 0-day issue with the Dialog it’s probably relatively safe.

The problem here is the Flash Player Setting Manager, this inheritance from Macromedia might be the Flash Player security Achilles heel.

I’ve written a quick and dirty Javascript game that exploit just that, and demonstrate how an attacker can get a hold of the user’s camera and microphone. This can be used, for example, with platform like ustream, justin and alike or to stream to a private server to create a malicious surveillance platform.

I’ve made it as a JS game to make it easier to understand, but, bear in mind that every Flash, Java, SilverLight, DHTML game or application can be used to achieve the same thing.

Some of the clicks are real game clicks other are jacked clicks. Every time the click is needed to be jacked the content simply move behind the iframe using z-index

I had doubts about publishing this, but, if I could have understand it so are the bad guys, so it’s better to know about it.

In this case Adobe could have just framebust the pages that holds the Settings Manager. There are two issues with frambusting in this case, it won’t solve all cases (legacy browsers for ex) and will force Adobe to rely on javascript.

Play it here, watch it here