Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Boolean algebra and CSS history theft

From: Diego Rodriguez <drodriguez () opengov com>
Date: Tue, 24 Jun 2014 13:14:05 -0700
After reading your history theft with CSS article,  it got me wondering if
that's what the Passpack service is doing. I've been using passpack.com for
a while and after logging in to my account it always asks to 'click on the
black square to continue'. The page shows 8 white squares with one black
square being randomly positioned on every new log in. I've emailed passpack
asking them what it's for and am waiting for their response.


On Tue, Jun 24, 2014 at 12:14 AM, Michal Zalewski <lcamtuf () coredump cx>
wrote:


OK, this is more fun than any immediate risk...

Those of you who follow web security topics probably remember that
until mid-2010, you could extract very substantial chunks of one's
browsing history by applying distinctive styling to thousands of
off-screen :visited links and then reading that information back
through the getComputedStyle API or in a couple of related ways.

This loophole has been closed by making it practically impossible to
programmatically measure any side effects of the styling applied to
:visited links (spare for some relatively wonky redraw timing
attacks). The information could be read back only with user's
assistance, which seemed much less interesting for two reasons:

1) It is relatively difficult to come up with really compelling,
casual interactions where the user would unwittingly divulge styling
information on specially prepared links to a rogue website,

2) Even if you could come up with such an attack, you would be limited
to probing roughly one visited link per click, so the throughput would
be very low.

Few months ago, I published a whimsical PoC showing that the first
assumption may be somewhat short-sighted. True to my lifelong dream of
becoming a fabulously wealthy game developer, I created this
low-grade, knock-off version of Asteroids:

http://lcamtuf.coredump.cx/yahh/

Today, I wanted to show an equally silly but less entertaining
proof-of-concept that touches on the latter topic. The PoC shows how
to measure the state of multiple links - possibly a dozen or so - with
a single casual click:

http://lcamtuf.coredump.cx/css_calc/

The PoC is based on carefully constructing Boolean operators with the
extremely rudimentary subset of CSS permitted for :visited links. I
don't want to spoil it all, but you can pull it off in a somewhat
funny way. There is no game included; I was going to have a logo for
this vulnerability instead, but my publicist didn't deliver (again).

Cheers,
/mz

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/





-- 
*Diego Rodriguez*
Engineer | OpenGov <http://www.opengov.com/>

www.opengov.com | drodriguez@opengovcom <https://twitter.com/opengovcom>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: