Sunday, February 10, 2008

Discovering Potential Vulnerabilities on Safari.

Hi folks, this morning following the example of an old way to phishing browsers, (under link manipulation) I've found a Safari leak. Let me try, before, with an easy example of unaware link redirection and then we'll try to discuss how this bug becomes vulnerability. 
Well, our main target is to grab accesses to bank account (?), gmail (?), whatever you want. The first step, as usually, is building a clone page of our target with a malicious code inside. Second step, redirect people on this malicious site. The technique is always the same:


http://username:url@phisdomain

Here the exact example on last safari browser:



As you see in the next figure, safari opened the page marcoramilli.blogspot.com asking nothing, no warnings and no exceptions (marcoramilli.blogspot.com doesn't ask username !) Safari opened it and nothing more.



Right now, it could seem quite normal, maybe you're thinking "I can see the URI bar, so I know where I am !". Well actually, I'm not so sure that every people look inside the html code in order to verify if the link points to the exact webpage, but there's more! Just adjusting the link on the URI bar, adding some spaces and eliminating the username side, the URI will appear clear and impossible to detect by human. Let's look it ! The following image represents the phished URL before be submitted, as you can see human eyes cant figure out the difference between this URL and the original one



After the submission:



Of course, now you'll se the spaces (%20) but the URL has just been submitted. That means you are redirected on malicious website. Now, it might be clear why this is a real problem. If inside the malicious site has encoded an easy javascript able to grab your gmail cookies or whatever, you've just lost your credentials. 


UPDATE:

The apple security team contacted me, they're very very extremely fast and nice. :P

Sean Peisert, asked me: " What about iPhone ?". That's true !! iPhone got Safari too and it's very common to use iPhone having access to bank accounts.... Anyway, the answer was, Yep..iPhone is vulnerable too.




1 comment:

Yuan said...

We noticed a similar behavior for URL parsing on the nintendo DS opera browser. :) which is even worse because the URL scrolls, so with enough white space, you can have
http://realsite ... http://fakeurl