lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Dec 2007 00:04:57 +0100 From: Thomas Roessler <tlr@...org> To: bugtraq@...urityfocus.com Cc: brett@...froot.co.nz, mail@...-ward.co.uk Subject: [MacOS X] Insecure eval() in Twitgit and Twitterlex dashboard widgets Twitgit [1] and Twitterlex [2] are two MacOS X Dashboard widgets (developed in JavaScript) that can be used to display twitter.com updates. Both regularly retrieve data using the Twitter JSON API and parse whatever is returned with eval(). Both relax the dashboard's JavaScript sandbox to enable the widget.system() call, which indeed amounts to the equivalent of system(3); i.e., if an attacker can take over the widget, the attacker can take over the user's account (and, quite often, the system). The data are retrieved through plain HTTP. Therefore, these widgets are vulnerable to at least: - cross-site-scripting attacks through Twitter - subversion of Twitter and, in the case of Twitterlex, also subversion of a server used for update notifications - man-in-the-middle attacks against local networks (Also, deliberately malicious behavior by either Twitter or the author of at least Twitterlex is a risk from a security perspective; if one was to assume malice, then Twitterlex could be classified as a nifty backdoor.) What makes this case particularly interesting is that this is a case in which -- along with the development platform, JavaScrit -- the borders between Web and local vulnerabilities get increasingly blurry. It would probably be an interesting exercise to go through some more dashboard widgets and grep for eval. I'd bet quite a bit that there's much more out there. 1. http://inner.geek.nz/projects/twitterlex/ 2. http://ben-ward.co.uk/widgets/twitgit/ Regards, -- Thomas Roessler, W3C <tlr@...org>
Powered by blists - more mailing lists