CESA-2008-009 - rev 1
[See all my vulnerabilities at
http://scary.beasts.org/security]
[Blog if you want to subscribe to new findings is at
http://scarybeastsecurity.blogspot.com/]
Firefox 2 and WebKit nightly cross-domain image theft
Programs affected: Firefox 2, prior to 2.0.0.18. Firefox 3 never affected.
WebKit nightly was affected somewhere between Safari 3 and 4.
Fixed: Firefox 2.0.0.18, Firefox 3.
Severity: Cross-domain theft of arbitrary images; machine fingerprinting.
CVE-2008-5012
MFSA 2008-48
Arbitrary images (authenticated and unauthenticated) can be stolen cross-domain
by fooling the browser about the domain of origin and then rendering the image
to a canvas and stealing it with the Javascript getImageData API.
Fooling the browswer about the domain of origin is accomplished by using "the
302 redirect trick". This involves accessing the image via an URL local to the
current (evil) domain. This local URL hosts a redirector which redirects to the
remote image we wish to steal.
Interestingly, despite the diverse code base, WebKit had exactly the same issue.
No production WebKit browser that I know was ever affected because Safari 3.1
and Chrome pre-1.0 were based off a WebKit without the APIs which read image
data (such as getImageData and toDataUrl).
Demo
You can read the demo code at
https://cevans-app.appspot.com/static/ff2stealimgbug.html
Credits
- Georgi Guninski independently reported this privately to Mozilla some
time ago. It was silently fixed in Firefox 3 but left unfixed in Firefox 2,
hence the independent discovery.
- Michal Zalewski for noting (and demoing) the additional attack vector of
enumerating the locally installed applications, which has fingerprinting
possibilities.
- Google - this flaw was discovered in Google's time. I'm with Google's
Security Team, and we're always recruiting talented security individuals.
Mail me.
CESA-2008-009 - rev 1
Chris Evans
scarybeasts@gmail.com