4

For a project at university I have done research about all kinds of security issues, especially privacy-related ones, that have come up on mobile OS and applications over the last few years.

One of the most infamous breaches I read about seems to be the same-origin policy (SOP) vulnerability that was discovered in Android's stock browser (AOSP) last year. The more I read about this attack though, the more it seems to me that the media have just greatly exaggerated the severity of this issue, since the actual attack vector seems to be quite small to me - at least from a privacy point of view. To sum up what I have found out:

  • There is an HTTP header field called 'Cross-Frame-Options' which prevents exactly this kind of attack because you can't even open the page in question within an iframe. Judging from some internet research and practical tests, most web frameworks set this header at least to 'same origin' by default, let alone big privacy-critical pages like social networks, online banking services and so on.

  • If you MITM'ed the connection and you were able to strip the XFO header, that would imply that the communication between victim and server was unencrypted and you could just steal session cookies or document data directly anyway.

  • I also had the idea to strip an insecure page of the XFO header, then open it within an iframe (say http://amazon.com), then pass the value of the document.cookie field from JS to the outside, since it could theoretically also contain secure cookies. Turns out, there is the 'httpOnly' property for cookies, which prevents exactly this kind of abuse ...

Now I know that there are probably hundreds of thousands of smaller sites that don't implement all of the above security measures or do it incorrectly, but articles like the one I linked (and dozens of others) clearly state that one could read emails from GMail or hijack Facebook sessions with this vulnerability present. Am I correct in assuming that the journalists who wrote these articles just didn't think the whole thing through, or am I actually missing some critical piece of information?

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
zinfandel
  • 1,233
  • 8
  • 10

1 Answers1

4

I haven't studied this specific vulnerability, but from the points you mention I should note:

  • Cross-Frame-Options is not used too much on websites.

  • Although this SOP vulnerability is dwarfed by X-Frame-Options, two months before there was another one where it didn't seem to matter. Most outdated phones where you will be able to exploit one of them, most likely the other one will also be exploitable.

  • I don't trust too much on the specific examples given when journalists explain a vulnerability saying “you could compromise GMail / Facebook / BigSite” they are only providing an example in layman terms of what can be done with a vulnerability like that, mentioning a website everyone will know about and care about their privacy. It is possible that those journalists are aware of those finer details, or that the vulnerability description was already “simplified” when explained to them.

Ángel
  • 17,578
  • 3
  • 25
  • 60
  • +1 From the second vulnerability "A metasploit module has been released by jvennix-r7 which also supports x-frame-options bypass making it a completely universal exploit." Ie: Cross-Frame-Options is useless in defeating this problem. – Neil Smithline Jun 07 '15 at 22:32