Connect with us

Hi, what are you looking for?


Application Security

Black Hat Europe: Hijacking Clicks With Same Origin Method Execution

AMSTERDAM – BLACK HAT EUROPE – A researcher has discovered a new attack method that could potentially impact many of the world’s largest websites. One site confirmed by the researcher as being vulnerable was Google+, which was just patched just a couple of days ago.

AMSTERDAM – BLACK HAT EUROPE – A researcher has discovered a new attack method that could potentially impact many of the world’s largest websites. One site confirmed by the researcher as being vulnerable was Google+, which was just patched just a couple of days ago.

Trustwave researcher Ben Hayak presented the attack method, which he calls Same Origin Method Execution (SOME), at the Back Hat Europe security conference in Amsterdam, the Netherlands.

Hayak has demonstrated that, in the case of Google+, the vulnerability could have been leveraged to easily gain access to users’ photos and videos. All an attacker needed to do was to get the victim to click on a malicious link and all the files would be sent to him.

According to the researcher, a SOME attack on Google+ is similar to the recent iCloud data breach in which the private photographs of several celebrities were leaked online. In an attack scenario described by Hayak during his Black Hat presentation, the victim takes some photographs with his/her mobile phone, and the files are automatically backed up via Google’s “Auto Backup” feature to a private location on Google+. The cybercriminal can use SOME to select all the photos from the target’s Google+ account and send them to his own server simply by getting the victim to click on a link.

The flaw, which is related to JavaScript Object Notation with padding (JSONP) implementation, enables an attacker to perform actions on the targeted user’s behalf. The attack also works without user interaction if malicious advertising (malvertising) is used as a vector, Hayak told SecurityWeek in an interview.

Same Origin Policy (SOP) is a security mechanism that’s used to prevent unrelated websites from interacting with each other. However, there are situations when a website needs to overcome SOP and communicate with third-party services. For example, a website that needs to identify its visitors’ location might use a geolocation service such as Telize. In this case, Web developers can use JSONP, a communication technique that allows websites to request data from servers in a different domain by taking advantage of the fact that browsers don’t enforce SOP on <script> tags.

While JSONP can be highly useful, it can also make a website vulnerable if it’s not implemented correctly. JSONP uses a callback function to get  data from third-party services. Hayak discovered that by manipulating the callback parameter, he could execute arbitrary methods on the affected website.

Advertisement. Scroll to continue reading.

When the victim clicks on the malicious link, a new window is opened for each of the methods that is executed. Everything happens quickly and the newly opened windows used to execute the methods are closed before the victim realizes something is not right. In order to avoid raising any suspicion, the attacker can open a legitimate website once the attack is completed.

According to the researcher, an attacker can execute as many methods as necessary. For example, in the case of Google+, the attack was conducted in two steps. In the first step, the images on the victim’s account were selected, and in the second step they were sent to the attacker.

One worrying aspect is that if a domain is vulnerable, all the pages on that particular domain are vulnerable.

The attack has been successfully tested on Google+, but the researcher says other websites are also vulnerable. A detailed research paper on SOME attacks will be published in the coming months and it will contain the names of other impacted services. Hayak told SecurityWeek that the flaw was identified on the sites of some financial institutions as well.

The issue was reported to Google roughly four months ago, and the company patched it a couple of days before Hayak made his findings public. Google rewarded the researcher with $3,133.7 for his findings.

Securing websites against SOME attacks

According to the researcher, SOME attacks can’t be blocked with cross-site reference forgery (CSRF) protection because the attacker is actually simulating user interface clicks. Cross-site scripting (XSS) filters don’t work either because the attacker only needs to use alphanumeric character and a dot to pull off the attack. Frame busting, which is a common defense method against clickjacking, is also inefficient, and the researcher has found a way to bypass popup blockers, which could potentially mitigate the attack.

Hayak says there are three methods that can be used to protect websites using JSONP against such attacks. One would be to use a static function name for callbacks. Another method, which was used by Google to address the issue, is to whitelist callbacks on the server side. A third method, which the researcher recommends, is registering callbacks.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...