Two information disclosure vulnerabilities recently identified in the Chrome, Edge, and Firefox web browsers may be exploited to obtain information on applications on the system, Fortinet reports.
The bugs impact Protocol Handlers, which are related to a mechanism that allows apps to register their own URI schemes used for process execution.
In Windows, there are three different keys used for the management of URL handlers, and web browsers would prompt users to choose a different application to handle URLs containing non-http schemes.
“Though it requires user interaction and thus poses a limited risk, it expands the attack surface beyond the browser borders,” Fortinet security researcher Rotem Kerner says.
To exploit the feature, an attacker could create web pages meant to trigger potentially vulnerable applications within the victim system. Such attacks may even bypass protection mechanisms like Smart Screen, the researcher argues.
By exploring possible ways to abuse this feature, Kerner discovered that Firefox (78.0.1 64-bit, on Windows 10) could leak protocol handlers.
Tracked as CVE-2020-15680 and already patched, the vulnerability exists because the web browser renders images sourced in existing and non-existing protocol handlers in a different manner. Specifically, if the source of an image element is set to a non-existing handler, the element would be displayed with different sizing of 0x0.
“This difference can be measured using a simple JS script Basing on this a malicious actor may perform a brute-force attack to disclose the different protocol handlers on a targeted system,” the security researcher notes.
In Chrome (tested against version 83.0.4103.116 on Windows 10), the exploitation of this issue is noisier, but the results are the same.
Here, Kerner explains, the browser window loses focus when the user is displayed the message box prompting them to allow for a different application to be opened, if the handler exists. To brute force the list of handlers, the attacker could redirect the victim to a different domain, thus eliminating the opening of multiple message boxes.
“A wide range of applications nowadays uses custom URL handlers and can be detected using this vulnerability. Some examples: music players, IDE, office applications, crypto-mining, browsers, mail applications, antivirus, video conferencing, virtualizations, database clients, version control clients, chat clients, voice conference apps, shared storages,” the researcher says.
An attacker could exploit these issues to identify social apps used by the target, perform general reconnaissance, identify potentially vulnerable apps on the system, identify installed security solutions, or improve browser fingerprinting.
Contacted by the researcher, Google said this was a user fingerprinting issue, but confirmed that it would release a fix. Microsoft does not consider this a security flaw. However, Edge, which is based on Chromium, will likely be patched as well when the fix arrives for the open source browser.