Jan 9, 2010

Little bug in Safari and Google Chrome

I guess a bug in Safari it's not a surprise at all but Google Chrome seems to be a more secure product. Anyways this little bug is not big deal but maybe combined with other bug it could be more dangerous.

<link rel="stylesheet" type="text/css" href="http://www.yahoo.com">
Hola
<script language="javascript">
setTimeout("alert(document.styleSheets[0].href)", 10000);
//setTimeout is used just to wait for page loading
</script>


The code above should display the same href value as in the LINK tag but it displays the final URL if there is a redirection, here in my country when you browse to http://www.yahoo.com/ you get redirected to http://ar.yahoo.com/?p=us so the above code displays this last URL.

Why this is an issue?
-There are some websites that put user session ids on the URL querystrings the same for tokens used for CSRF protection, if an attacker can get a user browsing his website then he can use the above code to reference a URL of a website the user is logged on that will be redirected to another URL that could have a session id or token in the querystring and then use this information for more dangerous attacks. Some websites could also have in the querystring some other useful information that could be used for further attacks. Websites putting session ids, tokens, etc. in querystings are already not secure but this issue helps in exploiting them.

-An attacker can also use this issue to determine if a user is logged in or not by comparing if the original URL is the same as the final one when trying to access a feature thar requires to be logged in.

-Maybe there are other possible ways of abusing this issue that I'm not aware right now.

Microsoft Internet Explorer and Mozilla Firefox are not vulnerable to this.

Enjoy.

8 comments:

Unknown said...

firefox has a similar issue.. and IE.. as well.. haha

thanks! now there's a way to follow redirects on all browsers with js!

Cesar Cerrudo said...

@sdc as far as I know Firefox and IE don't have this problem, they always display the original URL.

kuza55 said...

Firefox actually patched this bug in early 2008 - I know since I reported it to them (though it seems someone got to them before me, so no credit).

At the time it was really useful, since Google's SSO system sent session ids in redirect URLs, even for apps that were a .google.com subdomain, in particular Gmail. These days it only happens for off-domain sites such as Blogger.

There are still similar redirect leak bugs floating around other browsers though.

Marco Ramilli said...

Yes, thank you for sharing it.I never though Chrome was vulnerable to this, but it is ! Awesome.

:-Derek said...

Just a note that beta software has rarely had stringent security testing in the field. Therefore, have no expectations at this point of Google Chrome being any more or less secure than any other browser. Unfortunately, the big problem any browser has these days is the insecure nature of the code languages being used on the Internet. Example: JavaScript in general is now a major hazard; Active X, even worse.

David Rosen said...

Derek, why are you talking about beta software -- the release version of Chrome isn't beta.

blakesteel said...

I have tested this exploit in Google Chrome 4.0.249.89 and it has no effect. I tested with microsoft.com, yahoo.com, planetquake.com and other websites. They all resolved to the original LINK tag and not the final URL. This problem seems to have been corrected.

Cesar Cerrudo said...

@palisade yes it was fixed a couple of weeks ago