Cross-domain search ¥¿¥¤¥ß¥ó¥°

I've been meaning to fiddle around with ¥¿¥¤¥ß¥ó¥° attacks for a while. I've had ¤µ¤Þ¤¶¤Þ¤Ê discussions in the past about the significance of login ·è°Õ attacks (´Þ¤àing ones I ÀßΩ¤¹¤ë myself) and my usual ÊÖÅú would be "it's all ƤµÄ¤¹¤ë -- the ¹¶·â¼Ô could just use a ¥¿¥¤¥ß¥ó¥° attack". Finally, here's some ammo to support that position. And -- actual cross-domain data ÀàÅð using just a ¥¿¥¤¥ß¥ó¥° attack, as a ÆÃÊ̼êÅö.

Unfortunately, this is another »öÎã¡¿´µ¼Ô of the web ¸ºß built upon broken specifications and µÄÄê½ñs. There's nothing to stop domain evil.com ¸ÀµÚ¡¿´ØÏ¢ing »ñ¸»s on some.¶ËÅ٤οµ½Å¤µ¤òÍפ¹¤ë.domain.com and ¥¿¥¤¥ß¥ó¥° how long the server takes to Åú¤¨¤ë¡¿±þ¤¸¤ë. For a GET request, a good bet is the <img> tag ²Ã¤¨¤ë the onerror() / onload() events. For a POST request, you can direct the ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë to an <iframe> element and ´Æ»ë¤¹¤ë the onload() event.

Why should an evil domain be able to read ¥¿¥¤¥ß¥ó¥° ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ë from any other domain? Messy. ¸½¼Â¤Ë, it's even worse than that. Even if the ³Ë¿´ web model didn't ²ò¸Û¤¹¤ë¡¿Ë¤²Ð¡¿¼Í·â the ´ØÏ¢¤·¤¿ event °·¤¦s for cross-domain Ééôs, there would still be trouble. The ¹¶·â¼Ô is at liberty to ´Æ»ë¤¹¤ë the ¶ÈÀÓ¡¿À®²Ì of a bunch of busy-ÃèÊÖ¤êÈô¹Ôs in Javascript. The ¹¶·â¼Ô then ¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ës or opens a new window for the HTML page they are Íø±×¡¿¶½Ì£d in. When ¶ÈÀÓ¡¿À®²Ì ¸º¾¯¡Ê¤¹¤ë¡Ës, the server likely Åú¤¨¤ë¡¿±þ¤¸¤ëd. When ¶ÈÀÓ¡¿À®²Ì goes up again, the ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í likely finished ¡ÊȽ·è¤Ê¤É¤ò¡Ë²¼¤¹ing. That's two events and ¸½¼Â¤Ë a ϳ¤ì¤ë of more ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ë that the pure-event »öÎã¡¿´µ¼Ô.

Moving on to something real. The most usable ¸¶»Ï¤Î that this gives the ¹¶·â¼Ô is a 1-bit ϳ¤ì¤ë of ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ë. i.e. was the request Èæ³Ó¤·¤Æ µÞ®¤Ê¡¿ÊüÆ¢¤Ê or Èæ³Ó¤·¤Æ slow? I have a little ¥Ç¥â:

https://cevans-app.appspot.com/static/ymailtimings.html

It takes a few sec onds, but if I'm not logged into Yahoo! Mail, I see:

DONE! 7 79 76 82

From the Èæ³Ó¤·¤Æ flat ¥¿¥¤¥ß¥ó¥°s of the last three ¥¿¥¤¥ß¥ó¥°s (three different inbox searches) and the ¿Æ² latency between the first number and the latter three, it's pretty ¡Êµ¿¤¤¤ò¡ËÀ²¤é¤¹ I'm not logged in to Yahoo! Mail.

If I'm logged in, I see:

DONE! 10 366 414 539

This is where things get Íø±×¡¿¶½Ì£ing. I am ÌÀ³Î¤Ë logged in because of the ½ÅÍ×¤Ê server latency inherent in a text search within the inbox. But better still, the last three numbers Âåɽ¤¹¤ë searches for the words nosuchterm1234, ¶ËÅ٤οµ½Å¤µ¤òÍפ¹¤ë and the. Even with a ¶á¤Å¤¯-empty inbox, the server has at least a 40ms difference in ºÇ¾®¸Â latency between a query for a word not in the º÷°ú, and a query for a word in the º÷°ú. (I mailed myself with ¶ËÅ٤οµ½Å¤µ¤òÍפ¹¤ë in the »ÙÇÛ¤¹¤ë to make a ¡Êµ¿¤¤¤ò¡ËÀ²¤é¤¹ point).

There are many places to go from here. We have a ¸¶»Ï¤Î which can be used to ask cross-domain YES/NO questions about a µ¾À·¼Ô's inbox. Depending on the ÎÏ¡¿¶¯ÎϤˤ¹¤ë of the search we are ÍðÍÑing, we can ask all sorts of questions. e.g. "Has the µ¾À·¼Ô ever mailed X?", "If so, within the past day?", "Does the word ¼ýÆþs appear in the last week?", "What about the phrase '¼ýÆþs ¤Ï¤Ã¤­¤ê¤È É餫¤¹¡¿·âÄƤ¹¤ë'?" etc. etc. By asking the ¸¢Íø YES/NO questions in the ¸¢Íø order, you could ºÆ·ú¤¹¤ë Àë¹ð¡¤È½·ès.

It's important to ¸ø¼°Ê¸½ñ¡¤Ç§¤á¤ë this is not a failing in any particular ¾ì½ê¡¿°ÌÃÖ. A particular ¾ì½ê¡¿°ÌÃÖ can be ¤Ë°ú¤­Â³¤¤¤Æ ¸½ºß¤Î best practices and still be bitten by this. Fundamentally, many search Áàºî¡¿¼ê½Ñs on web ¾ì½ê¡¿°ÌÃÖs are Èó¡¤ÉÔ¡¤Ìµ-ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ë-changing GETs or POSTSs and therefore do not need XSRF Êݸî. The ²òÅú, of course, is to Äɲ乤ë it (and do the check before doing any work on the server like walking º÷°ús)!

With thanks to Michal Zalewski for Íø±×¡¿¶½Ì£ing ¿³µÄ and Christoph Kern for pointing out this ACM paper, whi ch I ¹Á¡¿ÈòÆñ½ê't read but from the abstract it sounds like it covers some ¤¤¤Ã¤½¤¦¾¯¤Ê¤¯ serious angles of the same base attack.