Breaking The Sandbox

Perhaps the most fascinating thing about the malvertising exploit leveraged by eGobbler is that it’s not preventable by standard ad sandboxing attributes.

Sandboxing is a set of additional attributes that can be applied to an iframe in order to restrict the actions and APIs available to the content from within that iFrame.

These restrictions can include directives like disallowing JavaScript or blocking top level navigation unless prompted by user action. Sandboxing tends to have a pretty substantial impact as far as malicious ad mitigation is concerned, though it’s not a panacea.

A large majority of sandboxed cross-origin ad serving happens to come from Google — this includes both AdX and EBDA.

We tested the eGobbler payload against the standard set of sandboxing attributes as they exist in 90% of Google’s ad serving products. The attributes include:

allow-forms

allow-pointer-lock

allow-popups

allow-popups-to-escape-sandbox

allow-same-origin allow-scripts

allow-top-navigation-by-user-activation

While on the surface the allow-popups directives seem like there’s nothing special about eGobbler’s payload, this is not true, because these actions should only be possible as a result of direct user interaction — a requirement that the eGobbler exploit successfully circumvents.

The fact that this exploit is able to bypass that need for user interaction should be impossible according to the same-origin policy as it pertains to cross-origin iframes.

Furthermore, this completely circumvents the browser’s anti-redirect functionality, as the attacker no longer needs to even spawn a redirect in order to hijack the user session.

We believe that this exploit was key in magnifying the impact of this attack. Where standard sandboxing rules like the ones above would ultimately succeed in blocking certain redirections, they consistently failed to protect users from this campaign on iOS Chrome