[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CADt-jMkCvGUucEHr+571JAqe_1hqERtvtfEE8LRsTYU4e8y-aw@mail.gmail.com>
Date: Tue, 24 Jun 2014 13:14:05 -0700
From: Diego Rodriguez <drodriguez@...ngov.com>
To: Michal Zalewski <lcamtuf@...edump.cx>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>,
bugtraq <bugtraq@...urityfocus.com>
Subject: Re: [FD] Boolean algebra and CSS history theft
After reading your history theft with CSS article, it got me wondering if
that's what the Passpack service is doing. I've been using passpack.com for
a while and after logging in to my account it always asks to 'click on the
black square to continue'. The page shows 8 white squares with one black
square being randomly positioned on every new log in. I've emailed passpack
asking them what it's for and am waiting for their response.
On Tue, Jun 24, 2014 at 12:14 AM, Michal Zalewski <lcamtuf@...edump.cx>
wrote:
> OK, this is more fun than any immediate risk...
>
> Those of you who follow web security topics probably remember that
> until mid-2010, you could extract very substantial chunks of one's
> browsing history by applying distinctive styling to thousands of
> off-screen :visited links and then reading that information back
> through the getComputedStyle API or in a couple of related ways.
>
> This loophole has been closed by making it practically impossible to
> programmatically measure any side effects of the styling applied to
> :visited links (spare for some relatively wonky redraw timing
> attacks). The information could be read back only with user's
> assistance, which seemed much less interesting for two reasons:
>
> 1) It is relatively difficult to come up with really compelling,
> casual interactions where the user would unwittingly divulge styling
> information on specially prepared links to a rogue website,
>
> 2) Even if you could come up with such an attack, you would be limited
> to probing roughly one visited link per click, so the throughput would
> be very low.
>
> Few months ago, I published a whimsical PoC showing that the first
> assumption may be somewhat short-sighted. True to my lifelong dream of
> becoming a fabulously wealthy game developer, I created this
> low-grade, knock-off version of Asteroids:
>
> http://lcamtuf.coredump.cx/yahh/
>
> Today, I wanted to show an equally silly but less entertaining
> proof-of-concept that touches on the latter topic. The PoC shows how
> to measure the state of multiple links - possibly a dozen or so - with
> a single casual click:
>
> http://lcamtuf.coredump.cx/css_calc/
>
> The PoC is based on carefully constructing Boolean operators with the
> extremely rudimentary subset of CSS permitted for :visited links. I
> don't want to spoil it all, but you can pull it off in a somewhat
> funny way. There is no game included; I was going to have a logo for
> this vulnerability instead, but my publicist didn't deliver (again).
>
> Cheers,
> /mz
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
--
*Diego Rodriguez*
Engineer | OpenGov <http://www.opengov.com/>
www.opengov.com | drodriguez@...ngovcom <https://twitter.com/opengovcom>
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists