<html>
<head>
<title>
CESA-2008-009 - rev 1
</title>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
var pageTracker = _gat._getTracker("UA-72867-8");
pageTracker._initData();
pageTracker._trackPageview();
</script>
</head>
<body>
<h2>CESA-2008-009 - rev 1</h2>
<p/>
<br/>
[See all my vulnerabilities at
<a href="http://scary.beasts.org/security">http://scary.beasts.org/security</a>]
<p/>
[Blog if you want to subscribe to new findings is at
<a href="http://scarybeastsecurity.blogspot.com/">
http://scarybeastsecurity.blogspot.com/</a>]
<p/>
<h3>Firefox 2 and WebKit nightly cross-domain image theft</h3>
<hr/>
<br/>Programs affected: Firefox 2, prior to 2.0.0.18. Firefox 3 never affected.
WebKit nightly was affected somewhere between Safari 3 and 4.
<br/>Fixed: Firefox 2.0.0.18, Firefox 3.
<br/>Severity: Cross-domain theft of arbitrary images; machine fingerprinting.
<br/><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5012">
CVE-2008-5012</a>
<br/><a href="http://www.mozilla.org/security/announce/2008/mfsa2008-48.html">
MFSA 2008-48</a>
<p/>
Arbitrary images (authenticated and unauthenticated) can be stolen cross-domain
by fooling the browser about the domain of origin and then rendering the image
to a canvas and stealing it with the Javascript <code>getImageData</code> API.
<p/>
Fooling the browswer about the domain of origin is accomplished by using "the
302 redirect trick". This involves accessing the image via an URL local to the
current (evil) domain. This local URL hosts a redirector which redirects to the
remote image we wish to steal.
<p/>
Interestingly, despite the diverse code base, WebKit had exactly the same issue.
No production WebKit browser that I know was ever affected because Safari 3.1
and Chrome pre-1.0 were based off a WebKit without the APIs which read image
data (such as <code>getImageData</code> and <code>toDataUrl</code>).
<p/>
<h3>Demo</h3>
<p/>
You can read the demo code at
<a href="https://cevans-app.appspot.com/static/ff2stealimgbug.html">
https://cevans-app.appspot.com/static/ff2stealimgbug.html
</a>
<p/>
<h3>Credits</h3>
<ul>
<li>Georgi Guninski independently reported this privately to Mozilla some
time ago. It was silently fixed in Firefox 3 but left unfixed in Firefox 2,
hence the independent discovery.</li>
<li>Michal Zalewski for noting (and demoing) the additional attack vector of
enumerating the locally installed applications, which has fingerprinting
possibilities.</li>
<li>Google - this flaw was discovered in Google's time. I'm with Google's
Security Team, and we're always recruiting talented security individuals.
Mail me.</li>
</ul>
<p/>
<br/>CESA-2008-009 - rev 1
<br/>Chris Evans
<br/><a href="mailto:scarybeasts@gmail.com">scarybeasts@gmail.com</a>
</body>
</html>