Same Origin Method Execution (SOME) Vulnerability

A new vulnerability has been discovered by Ben Hayak, a researcher at Trustwave, at Black Hat Europe in Amsterdam, that can gain access into your private cloud and steal information like private photos, video albums, etc., just by clicking on a malicious link. This attack happens before the user realizes that something is going wrong. Yes, that means the application is vulnerable to a new attack called Same Origin Method Execution (SOME). A good Vulnerability Management Tool can resolve these issues.

Same Origin Method Execution is a web application attack related to JavaScript Object Notation with padding (JSONP) implementation that allows an attacker to perform unlimited unintended actions on a website on behalf of users. Vulnerability Management Software is the solution to prevent these attacks.

Unlike many other similar attacks, there is no need for user interaction if malicious advertising (malvertising) is in use as a vector. In fact, when a web page is vulnerable to the Same Origin Method Execution, the entire domain becomes exposed to its resulting vulnerabilities.

1. The victim clicks on the malicious link.
2. A new window is opening for each of the methods that are in execution.
3. The application then allows the vulnerable callback URL to render the document targeting by the attack and is quick, so the victim has no idea what is occurring.
4. The application is ‘tricked’ into thinking both sites are trustworthy, and the application can now be hijacked into thinking the end user is doing all actions.

Same Origin Policy (SOP) is a fundamental security mechanism that prevents unrelated websites from interacting with each other.  This mechanism restricts vulnerable websites from running javascript that they don’t have permission. However, sometimes, there are situations where a website needs to communicate with third-party services by overcoming the Same Origin Policy.

Consider the example that a website that needs to identify its visitor’s location might use a geolocation service such as Telize. In this case, Web developers can use JSONP, a communication technique that allows websites to request data from servers in a different domain by taking advantage of the fact that browsers don’t enforce SOP on <script> tags.

While JSONP is a popular and useful technology, it can make a website vulnerable if not implemented properly. JSONP uses a callback function to get data from third-party services. The attacker could execute arbitrary methods on the affected website by manipulating the callback parameter.

According to the researcher, an attacker can execute as many methods as necessary. However, Many popular domains like Google, Yahoo, and Microsoft, along with applications like WordPress and VideoJS,  affecting by the Same Origin Method Execution Vulnerability, which was working correctly.

According to the researcher, there are possibly four reasons which SOME vulnerabilities can affect websites:

1. If the application requires “secure delegated access” to third-party server resources like OAuth.
2. If the application opens a pop-up window, it does not lose the current content on the display.
3. If the application developers use a simpler yet unsecure SOP bypass.
4. If developers simply lack security awareness.

However, according to the researcher, there are only three ways to secure websites from SOME attack that uses JSONP implementation:

1. Use a static function name for all callback endpoints.
2. Whitelist callbacks on the server side.
3. Registering callbacks.