Chrome Clickjacking Vulnerability Could Expose User Information on Google, Amazon
Contributed by: Email on 01/02/2013 09:09 AM
[
Comments
]
An apparent clickjacking, or UI redress vulnerability, in Googles Chrome web browser could make it possible for attackers to glean users e-mail addresses, their first and last names and other information according to recent work done by an Italian researcher.
Luca De Fulgentis, who writes about security for Nibble Securitys blog, detailed the issue earlier this week, along with another separate data extraction method.
De Fulgentis shows how a user's information can be extracted with the help of a malicious page using information on a page from Googles support forums. If logged in, users e-mail addresses, names and profile picture URL can be extracted from the browser via support.google.com, while similar user information can be extracted from web resources belonging to Microsofts Live.com and Yahoo!s Profiles pages.
De Fulgentis explains another data extraction technique: a two-step drag and drop method that relies on users being tricked into letting Chrome publish their data publicly.
Instead of a cross-origin drag & drop, the victim is tricked to perform a same-origin action, where the dragged content belongs to a vulnerable web page of the targeted application and the "dropper" is a form (text area, input text field, etc.) located on the same domain, De Fulgentis writes.
Essentially information that should be private is made public by two flaws: If the user is on a website that doesnt protect information by X-Frame-Options the response header that ensures information isnt embedded into other sites - and if that site is affected by clickjacking.
De Fulgentis goes on to explain how this technique can be executed in Chrome on Amazon.com. Using the aforementioned method, an attacker could publish the users information as a comment for an Amazon item, as demonstrated by the following video:
Since Amazons site doesnt protect users information with an X-Frame-Options header, information like users e-mail address and mobile number could be exposed under the right conditions.
This vulnerability is the latest of a series of UI redressing vulnerability reports done by De Fulgentis. Late last year he described a problem with Mozillas Firefox that compromised user information on LinkedIn.com.
Luca De Fulgentis, who writes about security for Nibble Securitys blog, detailed the issue earlier this week, along with another separate data extraction method.
De Fulgentis shows how a user's information can be extracted with the help of a malicious page using information on a page from Googles support forums. If logged in, users e-mail addresses, names and profile picture URL can be extracted from the browser via support.google.com, while similar user information can be extracted from web resources belonging to Microsofts Live.com and Yahoo!s Profiles pages.
De Fulgentis explains another data extraction technique: a two-step drag and drop method that relies on users being tricked into letting Chrome publish their data publicly.
Instead of a cross-origin drag & drop, the victim is tricked to perform a same-origin action, where the dragged content belongs to a vulnerable web page of the targeted application and the "dropper" is a form (text area, input text field, etc.) located on the same domain, De Fulgentis writes.
Essentially information that should be private is made public by two flaws: If the user is on a website that doesnt protect information by X-Frame-Options the response header that ensures information isnt embedded into other sites - and if that site is affected by clickjacking.
De Fulgentis goes on to explain how this technique can be executed in Chrome on Amazon.com. Using the aforementioned method, an attacker could publish the users information as a comment for an Amazon item, as demonstrated by the following video:
Since Amazons site doesnt protect users information with an X-Frame-Options header, information like users e-mail address and mobile number could be exposed under the right conditions.
This vulnerability is the latest of a series of UI redressing vulnerability reports done by De Fulgentis. Late last year he described a problem with Mozillas Firefox that compromised user information on LinkedIn.com.
Comments
