Blog on security, programming, & other musings

Pwning Freenet With Clickjacking

Introduction

Freenet is an open-source, distributed, and decentralized file storage network.

Like I2P, Freenet uses a web server on a user's local machine to provide configuration and access to their client through a web browser.

This opens Freenet up to the class of vulnerabilities that all web applications are prone to.

Security headers

The first thing I check before looking for common web issues is the HTTP response headers the server is returning, such as the 'Content Security Policy' header.

As it turned out, Freenet was returning a CSP header, however, it was improperly configured using a deprecated feature 'frame-src', which is not currently supported by Firefox, Chrome, and perhaps other browsers.

Clickjacking

The incorrect CSP header meant that attackers could embed the Freenet client in an invisible iframe to capture the user's clicks to change the user's client settings, such as their 'security level', their plugins settings (e.g. installing malicious plugins), shutdown/restart their node, etc.

Fixing the Vulnerability

I contacted the Freenet developers, who patched this in 0.7.5 build 1477

Conclusion

It seems many networks like Freenet suffer from the same category of issues: web attacks. I think in the future distributed networks should try to move away from the web.

I recommend anyone on an outdated version of Freenet update as soon as possible.