Flaw in Unity Web Player Allows Theft of Personal Data: Researcher

A serious vulnerability in Unity Web Player can be exploited by malicious actors to steal sensitive information from users, a researcher has warned.

Unity is a cross-platform game engine developed by Unity Technologies. The company says there are roughly 4.5 million registered developers that use Unity to create games, which are played by 600 million gamers worldwide.

Unity Web Player is a plugin designed to allow users to view 3D content created with Unity directly in their browsers. The plugin is installed by hundreds of millions of users.

Finnish researcher Jouko Pynnönen of Klikki Oy, who has uncovered serious vulnerabilities in numerous popular plugins over the past period, says the Unity Web Player plugin is plagued by a cross-domain policy bypass vulnerability that allows malicious web applications built with Unity to steal information from other websites.

According to the expert, the Unity Web Player plugin implements cross-domain policies to prevent a web application from accessing resources on other websites or the file system. However, the restriction can be bypassed.

“A specially formatted URL in a HTTP redirection can be used to bypass these restrictions. A malicious app loaded from ‘http://x:[email protected]’ could access an URL from e.g. ‘http://x:[email protected]/redirector’ which could return a HTTP redirect status code (301, 302, 307) and a Location: header pointing at ‘http://x:[email protected]/’,” the researcher explained. “The redirect should be denied because it points to a different domain. However, Unity Web Player allows the redirect because it erroneously bases its evaluation on the user:password part of the URL which is identical in both URLs (‘x:y’).”

An attacker can exploit the vulnerability by setting up a malicious Unity application online and tricking users into accessing it. Once launched, the malicious app can access private information from the victim’s other online services (e.g. messages on Facebook and Gmail). For the attack to work, the victim must be authenticated on the targeted service, the researcher said.

Pynnönen told SecurityWeek that he successfully reproduced the vulnerability in Chrome, Firefox, Safari (on OS X), and Internet Explorer. In the case of Internet Explorer, the bug can be exploited to read files from the targeted user’s hard drive. Attacks against Chrome 42 users are difficult to pull off because starting with this version Google disabled support for the Netscape Plugin API (NPAPI) which is used by Unity Web Player.

The researcher has published a video and a poof-of-concept (PoC) application that demonstrate the existence of the vulnerability. Unity Web Player users can verify if they are affected by the vulnerability by accessing the test app while being logged in to their Google account.

Pynnönen said he attempted to notify Unity Technologies of the vulnerability back in December 2014, but the company didn’t respond to his messages sent via email and the website contact form. Unity only reached out to the expert on Wednesday, after he disclosed the existence of the vulnerability.

Unity Technologies has not responded to SecurityWeek’s request for comment by the time of publication, but the company told Pynnonen that it’s analyzing the bug and trying to improve its security response procedures.

UPDATE: Unity Technologies has released versions 4.6.6f2 and 5.0.3f2 of Unity Web Player to address the vulnerability. Pynnönen has confirmed for SecurityWeek that the patch works against his exploit.