Security Experts:

Black Hat Europe: Hijacking Clicks With Same Origin Method Execution

AMSTERDAM - BLACK HAT EUROPE - A researcher has discovered a new attack method that could potentially impact many of the world's largest websites. One site confirmed by the researcher as being vulnerable was Google+, which was just patched just a couple of days ago.

Trustwave researcher Ben Hayak presented the attack method, which he calls Same Origin Method Execution (SOME), at the Back Hat Europe security conference in Amsterdam, the Netherlands.

Hayak has demonstrated that, in the case of Google+, the vulnerability could have been leveraged to easily gain access to users' photos and videos. All an attacker needed to do was to get the victim to click on a malicious link and all the files would be sent to him.

According to the researcher, a SOME attack on Google+ is similar to the recent iCloud data breach in which the private photographs of several celebrities were leaked online. In an attack scenario described by Hayak during his Black Hat presentation, the victim takes some photographs with his/her mobile phone, and the files are automatically backed up via Google's "Auto Backup" feature to a private location on Google+. The cybercriminal can use SOME to select all the photos from the target's Google+ account and send them to his own server simply by getting the victim to click on a link.

The flaw, which is related to JavaScript Object Notation with padding (JSONP) implementation, enables an attacker to perform actions on the targeted user's behalf. The attack also works without user interaction if malicious advertising (malvertising) is used as a vector, Hayak told SecurityWeek in an interview.

Same Origin Policy (SOP) is a security mechanism that's used to prevent unrelated websites from interacting with each other. However, there are situations when a website needs to overcome SOP and communicate with third-party services. For example, a website that needs to identify its visitors' location might use a geolocation service such as Telize. In this case, Web developers can use JSONP, a communication technique that allows websites to request data from servers in a different domain by taking advantage of the fact that browsers don't enforce SOP on <script> tags.

While JSONP can be highly useful, it can also make a website vulnerable if it's not implemented correctly. JSONP uses a callback function to get  data from third-party services. Hayak discovered that by manipulating the callback parameter, he could execute arbitrary methods on the affected website.

When the victim clicks on the malicious link, a new window is opened for each of the methods that is executed. Everything happens quickly and the newly opened windows used to execute the methods are closed before the victim realizes something is not right. In order to avoid raising any suspicion, the attacker can open a legitimate website once the attack is completed.

According to the researcher, an attacker can execute as many methods as necessary. For example, in the case of Google+, the attack was conducted in two steps. In the first step, the images on the victim's account were selected, and in the second step they were sent to the attacker.

One worrying aspect is that if a domain is vulnerable, all the pages on that particular domain are vulnerable.

The attack has been successfully tested on Google+, but the researcher says other websites are also vulnerable. A detailed research paper on SOME attacks will be published in the coming months and it will contain the names of other impacted services. Hayak told SecurityWeek that the flaw was identified on the sites of some financial institutions as well.

The issue was reported to Google roughly four months ago, and the company patched it a couple of days before Hayak made his findings public. Google rewarded the researcher with $3,133.7 for his findings.

Securing websites against SOME attacks

According to the researcher, SOME attacks can't be blocked with cross-site reference forgery (CSRF) protection because the attacker is actually simulating user interface clicks. Cross-site scripting (XSS) filters don't work either because the attacker only needs to use alphanumeric character and a dot to pull off the attack. Frame busting, which is a common defense method against clickjacking, is also inefficient, and the researcher has found a way to bypass popup blockers, which could potentially mitigate the attack.

Hayak says there are three methods that can be used to protect websites using JSONP against such attacks. One would be to use a static function name for callbacks. Another method, which was used by Google to address the issue, is to whitelist callbacks on the server side. A third method, which the researcher recommends, is registering callbacks.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.