Tuesday, September 13, 2011

Exploiting iGoogle Gadgets

Exploitation of iGoogle gadgets which uses iframes under the hood is well known. Here is an excellent paper on Frame Navigation that explores this attack vector on iGoogle gadgets.

Below is a quick demo on redirection attack on iGoogle gadgets. All the attacks that I mentioned on FB iframe tabs also apply here. It is just that iGoogle is less viral making FB a better ROI target.

Exploiting FB Iframe tabs

FBML was deprecated and Facebook iframe tabs were introduced in Feb'11. As expected it caught significant traction from the developer and security researchers alike. While developers applauded introduction of existing mechanisms like iframes that enable writing 3rd party apps without any learning curve that traditionally existed with Facebook, the security community alarmed concerns over the viral nature of Facebook that combined with iframes further exacerbated their evil nature. Below is a screenshot of Levi's iframe tab on FB.

I love iframes. Haven't they existed there would have been shouts of killing HTTP and inventing a new protocol to support client side mashups. So in a sense, iframe is a blessing that enabled an unexpected requirement by chance although with some security implications. Another assurance on my belief that these great technologies - HTTP, iframe and JS are there to stay for a very very long time, if someone still doubted. I also believe the new specifications HTML5 Sandbox and ES5 are moving in the right direction to enable secure mashups - 1 day when those (IE6) are buried!

Back to the topic. Nothing new but worth visiting what all an attacker could technically exploit on FB iframe tabs. 

1. Malicious Redirection via top.location = http://s0m3phishing.com, as seen in the video below. For demo I perform a redirect to http:///yahoo.com

2. Fake Login / Malicious UI via  and window.open()

3. Drive-by Downloads/ Install Malware via Content-Disposition: attachment

4. Denial of Service (DoS) and Noise by creating infinite alert()and while loops. This particularly is an issue not concerning many, including the security community, but for business it is, as an attacker can impact user engagement and experience which are of prime importance in this business.

5. Browser History Sniffing/Mining via getComputedStyle()as highlighted in the screenshot below

6. Referrer Leak like Referrer: http:///r.html?a=secret&b=private

7. LAN Scanning via JavaScript. A good write up on this is available here