Full Disclosure mailing list archives

By Date By Thread Firefox FindMyDevice Critical ClickJacking Security Vulnerability From: "Mohamed A. Baset" <symbian2010 () gmail com>

Date: Mon, 19 Oct 2015 14:00:00 -0500

Author Name Mohamed Abdelbasset Elnouby Abouelwaffa Contact Details: https://twitter.com/SymbianSyMoh https://mx.linkedin.com/in/SymbianSyMoh Vulnerability Details: Firefox FindMyDevice Critical ClickJacking Security Vulnerability Vulnerability: ClickJacking Info: https://www.owasp.org/index.php/Clickjacking Affected URL(s): https://find.firefox.com PoC Screenshot: Included as an attachment For non email receptionist "https://goo.gl/FUkFVm" In-depth analysis of the Vulnerability: Regardless The security protection mechanism which is that that attacker definitely can't guess or brute force the Device id "8fcXXXXc40de04b3803945XXXXXXXXXX" which is a part of the URL to the victim's profile to make a successful clickjacking attack iframe, in fact this protection mechanism is too low coz all the attacker to do is just to point the logged in user to his iframe source https://find.firefox.com and Mozilla will care about the rest "redirect the victim to the correct logged in active device id. What attacker can do: 1-"Erase the victim's device data" With just only 3 clicks by the victim himself if he tricked with "click here to win a 50 BTC for Example 2-"Lock The victim device or change his lock code" if it is the first time to be set "4 clicks" 3-"Makes the Device ringing" 2 clicks" Expected results: Find My Device web interface mustn't be iframed Apply XFO or Frame Busting techniques More Details About clickjacking: Because of No Frame Busting Techniques or X-Frame-Options header, the whole website is vulnerable to Clickjacking attacks which could lead to a full account takeover considering such scenario: 1. Attacker will iframe any sensitive the website page and adjust the iframe size and add a "divs" as a layers on the unwanted-to-show parts of the original web page to fool and trick the user. 2. User get tricked by the crafted page and followed the attacker's instruction to do a specific clicks to the iframed page 3. Unwanted actions happened in the logged in user's session in result to the attack's clicks. Remedy: 1- Add an X-Frame-Options HTTP Header and set it's value to "Deny" or "Sameorigin" as you can see it suitable to mitigate such attacks 2- Use iframe busting techmiques in JS code like this: <script type="text/javascript"> if (self === top) { var antiClickjack = document.getElementById("antiClickjack"); antiClickjack.parentNode.removeChild(antiClickjack); } else { top.location = 'Your_Website_URL_Here'; } </script> or <script type="text/javascript"> // Disable frame hijacking if (top != self) top.location.href = location.href; </script> Actual results: Find My Device web interface is iframable which makes it vulnerable to ClickJacking Attacks References: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options Original Report: https://bugzilla.mozilla.org/show_bug.cgi?id=1100004 Thanks​ -- *Best Regards**,**,* *Mohamed Abdelbaset Elnoby*Guru Programmer, Information Security Evangelist & Bug Bounty Hunter. LinkedIn <https://www.linkedin.com/in/symbiansymoh>Curriculum Vitae <http://goo.gl/cNrVpL> <https://www.linkedin.com/in/symbiansymoh>Facebook <https://fb.com/symbiansymoh>Twitter <https://twitter.com/symbiansymoh> _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Firefox FindMyDevice Critical ClickJacking Security Vulnerability Mohamed A. Baset (Oct 19)