A new vulnerability has been discovered byresearcher at Trustwave, at Black Hat Europe in Amsterdam, that can gain access into your private cloud and steal information like private photos, video albums etc. just by clicking on a malicious link. This attack happens before the user realizes that something is going wrong. Yes, that means the application is vulnerable to a new attack called Same Origin Method Execution (SOME).
Unlike many other similar attacks, there is no need for user interaction if malicious advertising (malvertising) is used as a vector. In fact, when a web-page is found vulnerable to Same Origin Method Execution, the entire domain becomes exposed to its resulting vulnerabilities.
How attack works:
- The victim clicks on the malicious link.
- A new window is opened for each of the methods that is executed.
- The application then allows the vulnerable callback URL to render the document targeted by the attack, and can be done quickly so the victim has no idea what has happened.
- The application is ‘tricked’ into thinking both sites are trustworthy, and the application can now be hijacked into thinking all actions are being done by the end user.
Consider the example, a website that needs to identify its visitor’s location might use a geolocation service such as Telize. In this case, Web developers can use JSONP, a communication technique that allows websites to request data from servers in a different domain by taking advantage of the fact that browsers don’t enforce SOP on <script> tags.
While JSONP is popular useful technology but it can make a website vulnerable if it is not implemented properly. JSONP uses a callback function to get data from third-party services. By manipulating the callback parameter, attacker could execute arbitrary methods on the affected website.
According to the researcher, an attacker can execute as many methods as necessary. Many popular domains like Google, Yahoo, Microsoft along with applications like WordPress, VideoJS were affected by Same Origin Method Execution Vulnerability which were fixed recently.
Primary reasons to affect websites by SOME vulnerability
According to the researcher, there are possibly four reasons due to which SOME vulnerability can affect websites:
- If the application requires “secure delegated access” to third party server resources like OAuth.
- If the application opens a pop up window so as not to lose the current content being displayed.
- If the application developers use a simpler yet unsecure SOP bypass.
- If developers simply lack security awareness.
Ways to secure Websites against SOME attack
According to the researcher, there are only three ways to secure websites from SOME attack that uses JSONP implementation:
- Use a static function name for all callback endpoints.
- Whitelist callbacks on the server side.
- Registering callbacks.