A new vulnerability has been discovered by researcher at Trustwave, at Black Hat Europe in Amsterdam, that can gain access into your private cloud and steal information like private photos, video albums etc. just by clicking on a malicious link. This attack happens before the user realizes that something is going wrong. Yes, that means the application is vulnerable to a new attack called Same Origin Method Execution (SOME).

Same Origin Method Execution is a web application attack related to JavaScript Object Notation with padding (JSONP) implementation that allows an attacker to perform unlimited unintended actions on a websites on behalf of users.

Unlike many other similar attacks, there is no need for user interaction if malicious advertising (malvertising) is used as a vector. In fact, when a web-page is found vulnerable to Same Origin Method Execution, the entire domain becomes exposed to its resulting vulnerabilities.

How attack works:

  1. The victim clicks on the malicious link.
  2. A new window is opened for each of the methods that is executed.
  3. The application then allows the vulnerable callback URL to render the document targeted by the attack, and can be done quickly so the victim has no idea what has happened.
  4. The application is ‘tricked’ into thinking both sites are trustworthy, and the application can now be hijacked into thinking all actions are being done by the end user.

Same Origin Policy (SOP) is a fundamental security mechanism that is used to prevent unrelated websites from interacting with each other.  This mechanism restricts vulnerable websites from running javascript that they dont have permission. However sometimes, there are situations where a website needs to communicate with third-party services by overcoming Same Origin Policy.

Consider the example, a website that needs to identify its visitor’s location might use a geolocation service such as Telize. In this case, Web developers can use JSONP, a communication technique that allows websites to request data from servers in a different domain by taking advantage of the fact that browsers don’t enforce SOP on <script> tags.

While JSONP is popular useful technology but it can make a website vulnerable if it is not implemented properly. JSONP uses a callback function to get data from third-party services. By manipulating the callback parameter, attacker could execute arbitrary methods on the affected website.

According to the researcher, an attacker can execute as many methods as necessary. Many popular domains like Google, Yahoo, Microsoft along with applications like WordPress, VideoJS were affected by Same Origin Method Execution Vulnerability which were fixed recently.

Primary reasons to affect websites by SOME vulnerability

According to the researcher, there are possibly four reasons due to which SOME vulnerability can affect websites:

  1. If the application requires “secure delegated access” to third party server resources like OAuth.
  2. If the application opens a pop up window so as not to lose the current content being displayed.
  3. If the application developers use a simpler yet unsecure SOP bypass.
  4. If developers simply lack security awareness.

Ways to secure Websites against SOME attack

According to the researcher, there are only three ways to secure websites from SOME attack that uses JSONP implementation:

  1. Use a static function name for all callback endpoints.
  2. Whitelist callbacks on the server side.
  3. Registering callbacks.

Leave a Reply

Your email address will not be published. Required fields are marked *