Last Comment Bug 451619 - Redirects permit cross-domain and local-system image disclosure via CANVAS
: Redirects permit cross-domain and local-system image disclosure via CANVAS
Status: VERIFIED FIXED
[sg:high] fixed by 355126
: verified1.8.1.18
Product: Firefox
Classification: Client Software
Component: Security (show other bugs)
: 2.0 Branch
: All All
: -- normal (vote)
: ---
Assigned To: Joe Drew (not getting mail)
:
:
Mentors:
http://lcamtuf.coredump.cx/ico_sniff2...
Depends on: CVE-2008-5012
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-21 13:07 PDT by Michal Zalewski
Modified: 2009-01-05 12:38 PST (History)
14 users (show)
dveditz: wanted1.9.0.x-
dveditz: blocking1.8.1.18+
dveditz: wanted1.8.1.x+
asac: blocking1.8.0.next-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Michal Zalewski 2008-08-21 13:07:59 PDT
Hi,

Chris Evans (Cc:ed) found out that the security restrictions applied to CANVAS toDataURL() and getImageData() methods once drawImage() is called on a given CANVAS to render a non-same-origin image, may be trivially bypassed if image source is initially specified in SRC attribute to be same-origin, but then HTTP 30x redirected to a non-same-origin resource.

This permits theft of potentially sensitive data across domains, should the victim be logged into any services that either store private images, or provide any sensitive visualisations at predictable locations.

Just as amusingly, I noticed that this may be exploited to very accurately enumerate locally installed software - and effectively, fingerprint the computer - by abusing moz-icon: as a redirection target:

http://lcamtuf.coredump.cx/ico_sniff2.html (works in FF2 on Windows)

According to Chris, this does not affect FF3.
Comment 1 Jesse Ruderman 2008-08-21 18:00:45 PDT
Duplicate of bug 355126?
Comment 2 Michal Zalewski 2008-08-22 02:37:59 PDT
Looks like, except for novelty the moz-icon: vector.

Come on, open since 2006? With where the web is these days, this actually permits quite a few privacy-related attacks in popular services.
Comment 3 Jesse Ruderman 2008-08-22 02:42:20 PDT
Yeah, that is pretty sad.  Do you have any juicy attack scenarios that might motivate us to fix it faster? :)
Comment 4 Michal Zalewski 2008-08-22 03:13:46 PDT
Well, moz-icon: for starters, as shown above ;-) This is something that many users probably do not want to happen (the obvious information leak aside, I'm willing to bet that by fingerprinting enough programs installed and their versions, as derived from icon appearance, lets you uniquely identify most machines, too).

The other part is not conceptually different from cross-domain HTML disclosure. Until not long ago, most HTML used to be static and publicly accessible, but this has changed quickly. The same is happening with many images. I'm not gonna paste any specific URLs ;-), but several examples of graphs that might be worth stealing, assuming you're logged into any of these services:

- Your stock portfolio performance at yourbroker.com,
- Your account forecasts on yourbank.com,
- Traffic statistics for your site on foo-traffic-analysis-corp.com
- Advertisement click-through or price charts on foo-ad-solutions.com

I have even seen user names and other personal information dynamically rendered in image views served by a particular service of ours, for the purpose of conveniently embedding somewhere.
Comment 5 Chris Evans 2008-08-22 15:06:10 PDT
Can I get access to bug 355126?

Jesse, you're the guy that sat behind me on the plane to BlackHat right? Nice to bump into you again :)

I can promise to disclose on Tue Sep 16th if you're after motivation to fix it faster :D :D
Comment 6 Jesse Ruderman 2008-08-23 00:53:33 PDT
Hi again, Chris :)  Sorry for not CCing on bug 355126 earlier.
Comment 7 Chris Evans 2008-10-09 16:10:05 PDT
There's a chance I'll be speaking about browser cross-domain security in Japan on Nov 12; I'd recommend fixing it by then, unless there are no plans to ever fix this in the v2 release stream.
Comment 8 Daniel Veditz [:dveditz] 2008-10-10 18:28:20 PDT
preserving as a separate bug because it's got an interesting testcase, but it should be the same fix as bug 355126
Comment 9 Al Billings [:abillings] 2008-11-04 13:03:54 PST
This is fixed in 2.0.0.18. Verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/2008102918 Firefox/2.0.0.18 after seeing the bug in 2.0.0.17.

Since it hasn't been resolved fixed, I'm doing that as well. :-)

Note You need to log in before you can comment on or make changes to this bug.