2

Say there is a situation where site a is directly linking a font file

ie https://www.example.com/FONT.woff2

from site b.

Would it be possible for someone to make a URL rewrite rule to point to a malicious file then someone who would visit site a would download the malicious file instead of the intended one?

for example, the user would hit site a, site b would have a rewrite rule for the specified font so when that is called it would redirect to https://www.example.com/MALICIOUS.JS instead.

NooBskie
  • 145
  • 4
  • it wouldn't matter if it did redirect to something bad, the font just wouldn't work; there's no way to run code from a font, so there's no risk from bad code. your risk is the font not loading. – dandavis Sep 28 '17 at 06:48
  • Rewrite rule? If you hotlink `https://siteb.example.com/FONT.woff2`, site b can serve whatever it wants at that URL. Why would it need a rewrite rule specifically? – Ajedi32 Oct 03 '17 at 13:27

2 Answers2

5

Including resources from a third party site means that you include resources in your page where you have no control about the content of the resource. Thus, even if the content was the expected one at the time you've added the link it can change whenever it suites the owner of the site - or somebody which hacked the site. This is not restricted to a redirect as you envision but the third party site can serve a different content in the first place.

The impact of this depends on what kind of resources you hotlink. If you include JavaScript from a third party site (like done a lot when offering the ability to share on social media) then the third party can essentially fully control what gets displayed to the visitor of your site but also embed a keylogger in your page or similar. Including fonts might be a problem too since malicious fonts could be used multiple times in the past to use bugs in the browser or OS and execute malware.

And while replacing images will usually not result in unwanted code execution (unless another bug in image processing is exploited) you can get instead an image you don't actually want on your site. For example some sites punish unwanted hotlinking with "special" images but it might also be more harmful be used for phishing attacks as seen in this answer. See also this question for more ideas.

Note that the replaced resource still needs to match the expected type of resource. This means if the browser expects a font and the attacker serves a JavaScript file instead it will not be executed. But if the attacker serves a malicious font in this case it will be used.

For some types of resources and for some browsers subresource integrity will help to detect if third party resources gets changed and not load the resource in this case. But, this currently works mainly with script and css and for example not with fonts or images. And, it works currently only with Chrome, Opera, Firefox and Safari.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
3

There are many potential problems. If you are including javascript, they can do a lot of bad things, like keylogging or completely change the webpage to display a phishing page, or download malware, or something like that.

Even with just images, the user's privacy will be compromised because they will know the IP address and referrer. Even worse, they can include an http basic authentication requirement to the image and attempt to phish for credentials. basic authentication phishing with images https://securitycafe.ro/2017/09/06/phishy-basic-authentication-prompts/

Daniel Grover
  • 872
  • 5
  • 10