CESA-2008-009 - rev 1

[See all my vulnerabilities at http://scary.beasts.org/security]

[Blog if you want to subscribe to new findings is at http://scarybeastsecurity.blogspot.com/]

Firefox 2 and WebKit nightly cross-domain image theft

Programs affected: Firefox 2, prior to Firefox 3 never affected. WebKit nightly was affected somewhere between Safari 3 and 4.
Fixed: Firefox, Firefox 3.
Severity: Cross-domain theft of arbitrary images; machine fingerprinting.
MFSA 2008-48

Arbitrary images (authenticated and unauthenticated) can be stolen cross-domain by fooling the browser about the domain of origin and then rendering the image to a canvas and stealing it with the Javascript getImageData API.

Fooling the browswer about the domain of origin is accomplished by using "the 302 redirect trick". This involves accessing the image via an URL local to the current (evil) domain. This local URL hosts a redirector which redirects to the remote image we wish to steal.

Interestingly, despite the diverse code base, WebKit had exactly the same issue. No production WebKit browser that I know was ever affected because Safari 3.1 and Chrome pre-1.0 were based off a WebKit without the APIs which read image data (such as getImageData and toDataUrl).


You can read the demo code at https://cevans-app.appspot.com/static/ff2stealimgbug.html


CESA-2008-009 - rev 1
Chris Evans