ASafety - AntiSecurity Un projet qui vous tiendra @coeur...

[x[@♥]]

Hacker Creates Plugin That Trashes Chrome’s Security



Sympathique sujet. Il est clair qu'avec le contrôle du DOM, plus de restriction de requête "cross-domain". Puisqu'il suffit qu'une extension force l'ouverture de telle ou telle url pour accéder à son contenu et jouer dans le DOM. Idem, comme le montre cet article, tout ce qui est entré dans des formulaires d'authentification est récupérable.

Par contre, en quoi est-ce propre à Google Chrome? Il est largement envisageable que Firefox puisse être victime de telle extension. Je tâcherai d'illustrer cela par un exemple, si le temps me le permet.

We hate to scare you on Friday right before a good weekend, but this story is alarming enough that you need to hear about. Before we proceed, know that this exploit is out in the open, be extra careful when you install any Chrome plugin; you may be at risk.

The exploit, developed by programmer Andreas Grech, employs a plugin coded using jQuery to track users’ login information and have it emailed to himself. He claims that he has tested the plugin, and that it has been successful against Twitter, Gmail, and Facebook. In his own words:

The Google Chrome browser allows the installation of third-party extensions that are used to extend the browser to add new features. The extensions are written in JavaScript and HTML and allow manipulation of the DOM, amongst other features.

By allowing access to the DOM, an attacker can thus read form fields…including username and password fields. This is what sparked my idea of creating this PoC.

The extension I present here is very simple. Whenever a user submits a form, it tries to capture the username and password fields, sends me an email via an Ajax call to a script with these login details along with the url and then proceeds to submit the form normally as to avoid detection.

If you doubt his statements, he has included the code for the plugin on his website.

In some way, we all owe Mr. Grech a thank you for finding the flaw and proving its existence. Now that this is well known, Google can plug the hole and restore peace of mind to its millions of users.

For now, only install plugins from people you know and trust, this exploit is dangerous.

Src here!

[x[@♥]]

Ha, je me disais aussi, voila la news du jour pour Firefox :

Mozilla snuffs password pilfering Firefox add-on

Beware unreviewed software calling itself Mozilla Sniffer

By Cade Metz in San Francisco • Get more from this author

Posted in Malware, 15th July 2010 00:42 GMT

Mozilla has disabled and block-listed a Firefox add-on containing code that nabs login data sent to any website and reroutes it to a remote server.

The add-on — known as, um, Mozilla Sniffer — was uploaded to the Firefox add-on site on June 6, and the malicious code was discovered on Monday, after which the add-on was block-listed. This means netizens who installed the add-on will be prompted to remove it. Mozilla also says that, yes, anyone who has installed the add-on should change their web passwords tout de suite.

"If a user installs this add-on and submits a login form with a password field, all form data will be submitted to a remote location," Mozilla said in a Tuesday blog post, before adding that the remote server charged with collecting passwords appeared to be down.

According to Mozilla, the Sniffer was downloaded about 1,800 times, and as of Tuesday, there were 334 active users.

The add-on had not been reviewed by Mozilla. It was marked as "experimental", meaning that anyone who attempted to install it received a warning that the code had not been reviewed. Such unreviewed add-ons are merely scanned for viruses, trojans, and other malware.

Mozilla, however, is (slowly) developing a new security model designed to prevent unreviewed add-ons from being served to world+dog. "Having unreviewed add-ons exposed to the public, even with low visibility, has been previously identified as an attack vector for hackers. For this reason, we’re already working on implementing a new security model for addons.mozilla.org that will require all add-ons to be code-reviewed before they are discoverable in the site."

The proposed model is described in detail here.

Mozilla also said it had discovered a security vulnerability in version 3.0.1 of a far more popular add-on known as CoolPreviews, which displays previews of webpages when you mouse over links. Version 3.0.1 and earlier versions have been disabled, and a patched add-on has been uploaded to addons.mozilla.org.

According to Mozilla, when the user mouses over a link, the add-on could execute remote JavaScript code with local chrome privileges, giving an attacker control over the user's machine. "If a user has a vulnerable version installed and clicks on a malicious link that targets the add-on, the code in the malicious link will run with local privileges, potentially gaining access to the file system and allowing code download and execution," Mozilla said.

About 177,000 users had a vulnerable version of the add-on installed as of Tuesday — less than 25 per cent of total users. Mozilla intends to block-list vulnerable versions "very soon."

Src here!

[x[@♥]]

Firefox security test add-on was backdoored

Des news! Et des extraits des fonctions de sniffing Ajax!

A backdoor has been discovered among a collection of security testing tools for Firefox.

The rogue Mozilla Sniffer add-on was included in the Web Application Security Penetration Testing collection. This set of tools is popular within the security community, as it simplifies the process of discovering vulnerabilities in web applications.

However, using the Mozilla Sniffer add-on would have introduced an unexpected vulnerability in any application being tested — whenever a login form was submitted, the add-on secretly sent a copy of the URL, password and other details to an IP address presumably controlled by the malicious author.

The backdoor was fortunately discovered by Mozilla user Johann-Peter Hartmann of SektionEins while he was using the Mozilla Sniffer add-on to test the security of a friend's online game.

Hartmann told Netcraft:

"I was giving the OWASP Firefox Security Collection a try, installed a bundle of extensions unknown to me and started to have a look at a friend's online game from a security point of view. I started Burp Suite Pro in parallel to check what additional help I can get from the extensions, and to watch what they are doing."

When Hartmann logged into his friend's game, he noticed an unusual HTTP request being made to an unrelated address at http://74.220.219.77. This request transmitted his username and password to the remote server, as well as the URL of the login page.

Hartmann assumed that this nefarious behaviour was caused by one of the new add-ons he had just installed, so he set about extracting the source code from the add-ons and searched for the hidden URL. He was surprised to find the backdoor code in a popular security testing add-on called Tamper Data, although this was because the real rogue add-on — Mozilla Sniffer — was sharing the same UUID as the Tamper Data add-on, which meant it had overwritten the contents of the well-trusted Tamper Data directory. Hartmann said this was a "nice way of hiding backdoor code".

The Mozilla Sniffer add-on overwrote some of the original Tamper Data files, and also added a new script named tamperPost.js. This injects a new search() function, which is called whenever a form is submitted by the browser. This function searches for any forms that have non-empty password fields and then uses two other functions to send the purloined data to the fraudster:

After working out that the Mozilla Sniffer add-on was at fault, Hartmann reported the problem to security@mozilla.org and was impressed by Mozilla's fast and professional response — he received a reply within minutes and the extension was pulled from the site shortly afterwards. Mozilla will be automatically disabling the add-on for anyone who has downloaded and installed it.

Before the add-on was pulled, Hartmann also posted a short review to warn other users:

The fraudster responsible for creating the malicious add-on claims (in poor English) to have been developing Mozilla add-ons since 2009, yet only created an account on the site last month:

Readers of All Things Digital may recognise the photograph as being of deputy managing editor John Paczkowski, who has confirmed to Netcraft that he is not the owner of this Mozilla account and that someone else has used his photo.

Although the Mozilla Sniffer extension was labeled as 'experimental', the malicious author tried to add credence by claiming it had been "validated by MOZILLA validation and reviewed by more than one addon developers" [sic]:

Mozilla subsequently confirmed that they had not reviewed this add-on and are currently working on a new security model that will require all add-ons to be code-reviewed before becoming discoverable on addons.mozilla.org.

Many web applications that undergo security testing are not production ready and may have exposed vast amounts of data and resources to whoever has been harvesting the URLs and passwords stolen by this add-on. Johann-Peter Hartmann told Netcraft that this was the first time he had seen a Firefox add-on being misused as a backdoor, and questioned whether many people check add-ons before using them, particularly when they appear to come from an official source.

Src here!

Le pauvre... Soit il a très bien caché son jeu pour réussir à faire croire que ce n'étais pas lui, soit quelqu'un lui en veut personnellement. Ca m'étonne grandement qu'une extension relativement connue et utilisée ait eu un code "en clair" (apparement) sans aucune obfuscation, qui effectue des requêtes Ajax externe de stockage de données pour un pirate.

Mais que fait Mozilla? N'ont ils pas un système de scanning de code source? Même un système primaire? Pour analyser et déceller des semblant d'attaques dans les extensions qui leur sont proposées ?

Si ce n'est pas le cas, il serait vraiment bien de s'en munir...

Le site du pirate est à présent offline. Ouf.

[Jill]

Bha ça m'étonne pas trop que le code soit en clair, c'est de l'open-source... Mais a priori c'est le code du gars qui a modif l'add-on connu.

Moi je pense que c'est bien lui qui a fait l'add on exprès, et il les a bien baisé HAHA
C'est un certain barbu qui doit pas etre content

[x[@♥]]

Bha ça m'étonne pas trop que le code soit en clair, c'est de l'open-source... Mais a priori c'est le code du gars qui a modif l'add-on connu.

Moi je pense que c'est bien lui qui a fait l'add on exprès, et il les a bien baisé HAHA
C'est un certain barbu qui doit pas etre content

Je ne parlais pas de code en clair, mais de code obfusqué à grand coup d'"eval()" pour planquer