Cenzic 232 Patent
Paid Advertising
web application security lab

Popup & Focus URL Hijacking

I apologize ahead of time for whomever first sent me this - it’s been so long now that I have long since lost the original email. But at some point a few years ago someone sent me a small snippet of JavaScript that could cause a page to be replaced by another page in such a way that if you looked at the URL bar, it didn’t matter because after you looked at it - a few seconds later - it would be replaced by the evil site. Well, today I spent a few minutes toying around with other potential uses for that same code. Let’s pretend I wanted an unsuspecting user to download my malicious Firefox add-on. I might create something like this demo which claims to be requesting that you download NoScript from Mozilla’s site. When the page loads, a setTimeout fires a few seconds later resulting in the following popup:

Click to Enlarge

You will notice that it quite clearly says that it is being downloaded from ha.ckers.org, but the vast majority of users won’t understand what that means, since, of course, they are quite clearly on the EV cert protected addons.mozilla.org. Also, presumably an attacker would normally pick something like addons.mozilla.org.xyx.com instead of ha.ckers.org. Worse yet, it blocks the user from downloading the legitimate file until they take action on what my malicious website is prompting them to do. Here’s the equivalent but less useful example in Internet Explorer:

Click to Enlarge

Unlike Firefox, IE doesn’t even say where the file is being downloaded from so it’s even a more confusing user experience. Not that this is a particularly good example since .xpi files are meaningless in Internet Explorer, but you get the point. Either way, this is kinda a nasty user experience, and is extremely likely to result in user compromise if the malicious site is creative enough in how it presents the user to download the latest version of whatever software addon or plugin the attacker is trying to spoof (think about Adobe Flash upgrades, Java upgrades and so on). Could be nasty.

14 Responses to “Popup & Focus URL Hijacking”

  1. Jabra Says:

    Here is a video I built of using a Firefox keylogger: http://vimeo.com/5353818

    I’m sure this plugin could be modified to transfer the data back to an attacker.

  2. Wornstrom Says:

    So what exactly is the issue here? Changing the location of the opened window does not change its address bar properly?

  3. Anon Says:

    Situation is worst in case of chrome

  4. Chris Snyder Says:

    I think the issue is that Firefox should detect a mismatch between the EV-secure URL in the address bar and the host where the .xpi download is coming from.

    For that matter, the whole extension download mechanism should probably be rewritten to require signed extensions like Linux distros do. Remember, it was originally written by developers who didn’t think it was important to use https for addons. Heck, I’m pretty sure you still get the browser itself over http (so you better trust your home/business router).

  5. Tom T. Says:

    Good timing on this post. This probably explains this thread at the NoScript Support Forum:

    “so i downloaded the new noscript plugin.. thru the browser firefox. and guess what… it comes packaged with a free spyware! SPY FIGHTER TOOL installed against my will. you dirty [censored]”

    I cited and linked this article in my reply, as the probable cause of the above complaint. Thanks for the article.

    Tom T.
    NoScript Support Team

  6. RSnake Says:

    @Wornstrom - Correct, the URL bar stays the same, and will continue to stay the same, even after the malware is installed. But also the UI has not been modified either, so that still may not be good enough, even if the URL changed - the UI still matches the malicious site. So the side issue is that a separate domain can change the contents of a child frame even if it’s in a different domain.

    @Anon - I haven’t tried chrome with this yet. Why is it worse?

    @Chris Snyder - Totally agreed about the addons infrastructure. I’ve definitely hammered the Mozilla team about that before. It’s legacy though, and so I think we’re stuck with it for a while. Can’t wait until someone starts hacking into the resources.mozilla.org sites though!

    @Tom T. Yessir - I’ve been thinking about that for a while. NoScript was only an example because funny enough it could have actually solved this problem by not allowing the JS to run in the first place. ;) The irony. Interesting to know that NoScript is being targeted though!

  7. Alan Baxter Says:

    I didn’t see a bug on Mozilla yet, so I posted one. https://bugzilla.mozilla.org/show_bug.cgi?id=537119

    This is bit beyond me technically, so I reproduced some of the observations in these comments verbatim in my description and comments about the bug. Hope that was OK. Thank you for the info.

  8. Tom T. Says:

    I mentioned in our forum discussion that, of course, NoScript stops the exploit (and this demo), so the bad guy must dupe the victim into allowing evilhost.com. *But* — that makes the first-time download of NoScript a perfect target for this exploit, because, *by definition*, these users are the ones who don’t have the very tool that would prevent the exploit.

    Irony, indeed — but exploitable irony. Until Alan Baxter’s bug report is acted upon, I’d expect to see a lot of this targeting first-time NS d/l’s. Can we get the word out to the public to beware of this?

    @ Chris Snyder: Two wrongs surely don’t make a right, but for the record, Microsoft downloads browsers, critical security updates, etc. over http — although you can get updates through https if you insist on it. But I, too, agree with you — and I hope RSnake will keep hammering on MZ until they fix it.

  9. Robert A. Says:

    The real challenge for vendors is how do you present information to the user in a way so that they will

    - Understand it regardless of their technical level
    - Not harm themselves accidentally, but allow legit functionality to work
    - In a way that the user won’t just click through it anyways (i.e. they want the dancing bunny to work and will click through to see it)

    Sites may use 3rd party download mirrors/hostnames so user’s will ultimately not know when something is legit or not (just like with phishing). Antivirus/phishing/host protection mechanisms unfortunately are one of the better approaches to solving this issue.

    EV Certs are also not a real good solution, but allows savvy user’s (i.e. the minority) to have additional confidence when visiting a site. EV Certs have value and certainly should be used when possible but aren’t in the grand scheme of things having a large impact IMHO on their own.

  10. rochtweet Says:

    Chrome just downloads it without even giving any warning!!

  11. Joel M. Says:

    Maybe to clarify this for some folks, there are three problems here.

    The first one is that the browsers will allow a page to reference objects that do not come from the same location as the page. That is the basis of services like double-click where a third-party image is referenced to log your visit, this behavior of referencing a plug-in is simply a derivative of that but potentially more deadly. The second related problem is that some browsers may let plug-ins get out of the sandbox and into your files. The only solution would be to block access to third-party objects, but that would of course throw mashups out of business :)

    The more important third problem is that users can’t see on the URL line where everything on the page comes from and have been trained from childhood to click on OK when the computer wants to do something. Even if you do give them the URL as you ask them to click to proceed, they don’t have a clue as to what that means sop they still click OK. 95% of every user I know has no clue as to what the “address bar” and URL even mean. We tried to train them that a “padlock” meant they were safe, and now in what is simply a marketing ploy EV certificates turn the address bar green and tell you the company name. So everything that is green makes them feel even safer.

    But certificates, even EV, are complete crap for guaranteeing safety. The only guarentee is that your data is encrypted. Otherwise they only works if you actually look to make sure you are talking to the company you think you are. I could create a corporation microssoft and register microssoft.com and get an EV certificate for microssoft.com and once I get people redirected to my site they would happily think they were getting a secure and trustworthy plugin from Bill’s old company. Because nobody looks closely at the address. And signing plugins doesn’t make a difference, it would be signed by “microssoft.” Remember, you don’t have to be a real person to get an certificate, just be a real company, have a real address and a real phone number. Which will be vacant and disconnected as soon as the cert is issued leaving no trail.

    Lack of user knowledge is the real problem, and we don’t have a way to beat that yet. If ever. Heck, if we could solve that, we could eliminate people driving into buildings and getting hit by cars when they jaywalk :)

  12. Woody Says:

    just lol @ this…

    the fox is at least helpful showing the domain, its in the attempt to make the whole thing pretty and slimline that these details are sliced out!

  13. Kyo Says:

    @rochtweet this is not news and not surprising. This behaviour is normal for chrome, to download files without asking. You don’t need to trick to accomplish this. That’s not to say it’s a good behaviour in any way.

  14. Martin Says:

    Does this work in IE? I mean, you get the download-bar in top of the browser but it seems that you canīt download the file?