Login State Detection in Firefox
Jeremiah has been on a roll lately. Not just releasing some of the old stuff but he’s actually be coming up with some very cutting edge new stuff too. Most recently he’s found that you can detect if someone is logged in or not by trapping JavaScript errors created by including the HTML page as script. Crazy!
Click here for the PoC (you must be using Firefox and have JavaScript enabled). He demonstrates the vulnerability in Yahoo Mail, Gmail, Hotmail, Google, MySpace, Blogger, Flickr, My MSN, and SearchAppSecurity Techtarget. This allows him to perform a similar function to the CSS History hack, except this time, SafeHistory isn’t going to help you since it’s JavaScript only.
We talked about this at some length and we believe that it would be pretty easy to build custom scripts for almost any website. So much for the same origin policy. The really scary implications are that the way this is built it’s not just a binary operation. It could easily be expanded to detect multiple states of a web-page. You would have to know what it would look like in those various states, but it’s definitely possible. Great job, Jeremiah!
December 14th, 2006 at 10:13 am
Brilliant, really who thinks of this?
December 14th, 2006 at 10:41 am
“He demonstrates the vulnerability in Yahoo Mail, Gmail, Hotmail, Google, MySpace, Blogger, Flickr, My MSN, and SearchAppSecurity Techtarget.”
I wouldn’t say these websites are ‘vuln’ per say perhaps work on your wording a bit?
- zeno
http://www.cgisecurity.com
December 14th, 2006 at 10:43 am
The wording is odd, yes… what I was saying is he demonstrates the vuln using those sites. But yes, it’s not a vulnerability in their sites, per se.
December 14th, 2006 at 12:15 pm
The GMail one failed for me, but the myspace one worked (those are the only ones I could test).
December 14th, 2006 at 12:22 pm
the yahoo one failed for me but probably becuz it’s the Beta .. which i dont use
it’s just a PoC one though.. can probably make it more robust before actual use. (and port to IE, which should be possible).
very handy..
December 14th, 2006 at 7:57 pm
The GMail failed, but both My MSN and Hotmail worked. The next question is, is it possible to ride/hijack the sessions of these accounts that returned as being “Logged In”??
December 15th, 2006 at 12:31 am
Yahoo was the only one worked for me,but at least NoScript add-on decreases my attack surface.
And yeah, i agree with Mephisto,let’s advance to the next “ride/hijack” step.
December 15th, 2006 at 3:34 am
[…] Lido em Kriptópolis Fonte original: Login State Detection in Firefox […]
December 15th, 2006 at 10:43 am
well the ride/hijack is a separate attack in itself.. which will need either a CSRF or XSS vulnerability. Or using mhtml if you port this to IE. Unless Jeremiah also pulls a global CSRF out of his (White)Hat that works for FF too..