[meta] Investigate remediations against poisontap (http hijacking, cookie stealing, etc. etc.)




3 years ago
2 months ago


(Reporter: grin, Unassigned, NeedInfo)



52 Branch

Firefox Tracking Flags

(Not tracked)




3 years ago
See this recent gem of hackery:


It is using a locally faked MITM station to do various bad things through web browsers.
Maybe there isn't anything we can do about it (apart from the general advice "use TLS anywhere), maybe there are some aspects to learn from. Just sharing, in case you've missed.

You can close this bug at your will or share it as you please.

Sort summary:
PoisonTap - siphons cookies, exposes internal router & installs web backdoor on locked computers

Created by @SamyKamkar || https://samy.pl

When PoisonTap (Raspberry Pi Zero & Node.js) is plugged into a locked/password protected computer, it:

    emulates an Ethernet device over USB (or Thunderbolt)
    hijacks all Internet traffic from the machine (despite being a low priority/unknown network interface)
    siphons and stores HTTP cookies and sessions from the web browser for the Alexa top 1,000,000 websites
    exposes the internal router to the attacker, making it accessible remotely via outbound WebSocket and DNS rebinding (thanks Matt Austin for rebinding idea!)
    installs a persistent web-based backdoor in HTTP cache for hundreds of thousands of domains and common Javascript CDN URLs, all with access to the user’s cookies via cache poisoning
    allows attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user’s cookies on any backdoored domain
    does not require the machine to be unlocked
    backdoors and remote access persist even after device is removed and attacker sashays away

Comment 1

3 years ago
This is public, so the bug can be public. An alternative URL with a detailed description of how this works: https://github.com/samyk/poisontap

I wonder if our http layer could detect the 'map all the internet to this 1 device' methods this is using, similar to our captive portal detection, or perhaps even at the network interface layer (not sure to what degree we're aware of this within netwerk/ ). Selena, are you the right person to forward this to others to look into?
Group: firefox-core-security
Flags: needinfo?(sdeckelmann)
Keywords: meta
Summary: poisontap; you may want to be aware of this pack of local browser attacks → Investigate remediations against poisontap (http hijacking, cookie stealing, etc. etc.)
NI -> wennie for review/prioritization.
Flags: needinfo?(sdeckelmann) → needinfo?(wleung)

Comment 3

2 years ago
Hi Dan, can you comment on this bug?
Flags: needinfo?(wleung) → needinfo?(dveditz)
The meta keyword is there, the bug doesn't depend on other bugs and there is no activity for 12 months.
:wleung, maybe it's time to close this bug?
Flags: needinfo?(wleung)
Summary: Investigate remediations against poisontap (http hijacking, cookie stealing, etc. etc.) → [meta] Investigate remediations against poisontap (http hijacking, cookie stealing, etc. etc.)

Comment 5

5 months ago

Let's close this bug.

Flags: needinfo?(wleung)
Type: defect → task
You need to log in before you can comment on or make changes to this bug.