Chris Evans (Cc:ed) found out that the security restrictions applied to CANVAS toDataURL() and getImageData() methods once drawImage() is called on a given CANVAS to render a non-same-origin image, may be trivially bypassed if image source is initially specified in SRC attribute to be same-origin, but then HTTP 30x redirected to a non-same-origin resource.
This permits theft of potentially sensitive data across domains, should the victim be logged into any services that either store private images, or provide any sensitive visualisations at predictable locations.
Just as amusingly, I noticed that this may be exploited to very accurately enumerate locally installed software - and effectively, fingerprint the computer - by abusing moz-icon: as a redirection target:
http://lcamtuf.coredump.cx/ico_sniff2.html (works in FF2 on Windows)
According to Chris, this does not affect FF3.
Duplicate of bug 355126?
Looks like, except for novelty the moz-icon: vector.
Come on, open since 2006? With where the web is these days, this actually permits quite a few privacy-related attacks in popular services.
Yeah, that is pretty sad. Do you have any juicy attack scenarios that might motivate us to fix it faster? :)
Well, moz-icon: for starters, as shown above ;-) This is something that many users probably do not want to happen (the obvious information leak aside, I'm willing to bet that by fingerprinting enough programs installed and their versions, as derived from icon appearance, lets you uniquely identify most machines, too).
The other part is not conceptually different from cross-domain HTML disclosure. Until not long ago, most HTML used to be static and publicly accessible, but this has changed quickly. The same is happening with many images. I'm not gonna paste any specific URLs ;-), but several examples of graphs that might be worth stealing, assuming you're logged into any of these services:
- Your stock portfolio performance at yourbroker.com,
- Your account forecasts on yourbank.com,
- Traffic statistics for your site on foo-traffic-analysis-corp.com
- Advertisement click-through or price charts on foo-ad-solutions.com
I have even seen user names and other personal information dynamically rendered in image views served by a particular service of ours, for the purpose of conveniently embedding somewhere.
Can I get access to bug 355126?
Jesse, you're the guy that sat behind me on the plane to BlackHat right? Nice to bump into you again :)
I can promise to disclose on Tue Sep 16th if you're after motivation to fix it faster :D :D
Hi again, Chris :) Sorry for not CCing on bug 355126 earlier.
There's a chance I'll be speaking about browser cross-domain security in Japan on Nov 12; I'd recommend fixing it by then, unless there are no plans to ever fix this in the v2 release stream.
preserving as a separate bug because it's got an interesting testcase, but it should be the same fix as bug 355126
This is fixed in 18.104.22.168. Verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:22.214.171.124) Gecko/2008102918 Firefox/126.96.36.199 after seeing the bug in 188.8.131.52.
Since it hasn't been resolved fixed, I'm doing that as well. :-)