On 16.04.2007, at 18:02, Jeffrey Kretz wrote:
How would this work exactly? I thought that session cookies and file
cookies are only passed by the browser in a request to a matching
domain?
Or would it be something like this:
1. Log into Washington Mutual Bank Account (20 minute session).
2. Don't log out
3. In same browser, visit www.hackmypc.com
4. This new website initiates in Ajax call to WAMU, and because the
original session is still active, it works?
I explained it in detail here: http://groups.google.com/group/jquery-
en/browse_thread/thread/
b467908cd0bb5581/9b83cd2d22c1c140#msg_fb6eec66af5f199b
You basically got it right, except step 4. The real step 4 is:
4. This new website has a <script>-tag pointing to the bank account
site because browser security allows loading scripts from other
domains even if other cross-domain accesses are forbidden. The attack
would not work with AJAX, at least there's no way I know of.
Information about previous attacks on Gmail based on this and similar
techniques can e.g. be found here:
http://jeremiahgrossman.blogspot.com/2006/01/advanced-web-attack-
techniques-using.html
http://cyber-knowledge.net/blog/2007/01/01/gmail-vulnerable-to-
contact-list-hijacking/
(the second posting is about an even more ridiculous vulnerability
than unsecured JSON, though, because Google used a real JavaScript
call there, so the malicious website does not even need to override
system object constructors to access the data. The underlying attack
technique is the same, though). Matt Kruse is in so far right as, as
far as I know, there has never been malicious exploits, but exploit
is exploit, even if only for demonstration, and everything which is
exploitable will be exploited maliciously sooner or later.
--
Markus Peter - [EMAIL PROTECTED] http://www.spin-ag.de/
SPiN AG, Bischof-von-Henle-Str. 2b, 93051 Regensburg, HRB 6295
Regensburg
Aufsichtsratsvors.: Dr. Christian Kirnberger
Vorstände: Fabian Rott, Paul Schmid
