The bug is specific to Internet Explorer, and still seems unfixed (in stable versions) at the time of writing. I told Microsoft about it back in 2008. Therefore this disclosure is not an 0-day, but more like a 600-day.
The bug is pretty simple: IE supports a
window.onerror
callback which fires whenever a Javascript parse or runtime error occurs. Trouble is, it fires even if www.evil.com
registers its own window.onerror
handler and then uses <script src="http://www.bank.com/">
. We'll demonstrate the consequence of this later.The bug has a very interesting history, which is worth briefly outlining here:
- 2006: Possible original discovery of theft of sensitive data aspect, credit Filipe Almeida.
- Dec 2006: Jeremiah Grossman demonstrates login determination by profiling cross-origin error messages: http://jeremiahgrossman.blogspot.com/2006/12/i-know-if-youre-logged-in-anywhere.html.
- Unknown, 2007?: Firefox fixes the issue.
- Dec 2008: I discover that a redirect bypasses the Firefox protection: http://scarybeastsecurity.blogspot.com/2008/12/firefox-cross-domain-text-theft.html. It is fixed pretty quickly.
- Dec 2008: Michal Zalewski notes that my Firefox demo works verbatim in IE. Microsoft informed.
- Oct 2010: full disclosure of Internet Explorer variant.
'blah' is not defined
.So if the cross-origin text looks like a Javascript variable reference, then the attacker has a very useful leak!
Here is a proof-of-concept against Google Reader, which works by stealing cross-origin content which happens to be an anti-XSRF token:
http://scary.beasts.org/misc/reader.html
As it happens, the Reader product deployed a change which detects the vulnerable User-Agent string (Internet Explorer) and uses a workaround. So the PoC is neutered. This is a shame because the PoC used to force your friend to subscribe to a goat-farming feed against their will. For now, you'll have to locate an alternate attack vector for this vulnerability -- do let me know what you find via a comment.
It's worth closing with some notes that this area is ripe for further research. There are a varied number of text structures which can be stolen (iteratively if necessary) with this trick:
- a,b,c -- i.e. the CSV syntax
- The b in a:b
- a.b.c
- The b in {a:b}
- Expression constructs such as a/b/c
- Constructs like the above, if wrapped in () or [] etc.
http://scary.beasts.org/misc/onerr.html
(Only works in browsers with window.onerror, such as IE).
Please leave a comment if you have more constructs which can be stolen; or more examples of sites where stuff can be stolen from.