Search This Blog

Showing posts with label Bypass of Security constraints. Show all posts

Spook.js: Chrome is Threatened by a New Spectre Like Attack


A newly found side-channel attack targeting Google Chrome might allow an attacker to use a Spectre-style attack to bypass the web browser's security protections and extract sensitive information. Spook.js is a novel transient execution side-channel attack that specifically targets Chrome. Despite Google's efforts to minimize Spectre by installing Strict Site Isolation, malicious JavaScript code can still extract information in some instances. 

An attacker-controlled webpage can learn which other pages from the same website a user is presently viewing, collect sensitive information from these pages, and even recover auto-filled login credentials (e.g., username and password). If a user downloads a malicious extension, the attacker may obtain data from Chrome extensions (such as credential managers). 

Spectre, which made news across the world in 2018, makes use of vulnerabilities in contemporary CPU optimization features to get around security measures that prohibit separate programmes from accessing one other's memory space. This enabled attackers to steal sensitive information across several websites by attacking how different applications and processes interact with processors and on-chip memory, allowing a wide range of attacks against different types of applications, including web apps. 

Strict Site Isolation was implemented by Google Chrome, which prohibits several web pages from sharing the same process. It also divided each process's address space into separate 32-bit sandboxes (despite being a 64-bit application). 

Site Isolation is a Chrome security feature that provides extra protection against some sorts of security vulnerabilities. It makes it more difficult for websites that aren't trustworthy to get access to or steal information from your accounts on other websites.

Despite these safeguards, Spook.js, according to researchers from the University of Michigan, University of Adelaide, Georgia Institute of Technology, and Tel Aviv University, "shows that these countermeasures are insufficient in order to protect users from browser-based speculative execution attacks." 

“More specifically, we show that Chrome’s Strict Site Isolation implementation consolidates webpages based on their eTLD+1 domain, allowing an attacker-controlled page to extract sensitive information from pages on other subdomains,” they said. "Next, we also show how to bypass Chrome’s 32-bit sandboxing mechanism. We achieve this by using a type confusion attack, which temporarily forces Chrome’s JavaScript engine to operate on an object of the wrong type."

“Web developers can immediately separate untrusted, user-supplied JavaScript code from all other content for their website, hosting all user-supplied JavaScript code at a domain that has a different eTLD+1," the study recommended. “This way, Strict Site Isolation will not consolidate attacker-supplied code with potentially sensitive data into the same process, putting the data out of reach even for Spook.js as it cannot cross process boundaries."

Fake Hands Could Be Employed To Dodge Vein Authentication

Chaos Communication Congress witnessed a demonstration where security researchers exhibited how a fake hand could be used to easily bypass vein authentication.

Employing bio-metrics and face recognition to safeguard users and avert cyber-cons has now become a common practice.

Another such stratagem is “Vein Authentication”, where the size, shape and position of the users’ veins under their hand’s skin are scanned by the computer.

The vein authentication approach, tries to compare the veins underneath the skin currently being scanned to those already on the record.

This method of authentication, too, unfortunately has a loophole. Security researchers at the annual Chaos Communication Congress in Germany elucidated on the same.

A fake hand of wax was fabricated by the aforementioned team of security researchers to deceive the vein sensing security system.

Quite astonishingly, the vein sensing technique which is deliberated to be a high-security system is pretty easy to hack into, by modifying the camera and using tacky stuff.

Fingerprint sensors had gotten quite main-stream and hence vein authentication evolved as a relief.

Given the fact, that fingerprints could be gathered quite conveniently form a formerly held object but contemplating the position of a person’s veins under their skin is tough.

The previously cited security researchers initially captured their vein structures into a photograph by using a converted SLR camera after getting rid of its infrared filter which enabled them to see their vein patterns.

Now, cameras of such kind could easily be used form a distance of 5 meters to capture pictures and hence vein patterns, especially at events like, press conferences.

The security researchers’ pair considered over 2500 pictures to take the process of studying vein structures to absolution and identify the best image that would work.

Later on, with the help of that very picture, a wax hand was fabricated including the same vein design.

Famous companies like Hitachi and Fujitsu were informed as to this research but failed to comment on the issue.

It took the clever researchers only around a month to get the wax hand ready which could easily be replicated to satiate the rising temptation for cyber-crime.

Three critical vulnerabilities identified in Apache Tomcat 7 and 6

The Tomcat security team has identified three critical vulnerabilities in the Apache Tomcat , an open source web server and servlet container . The vulnerabilities affect 7 and 6 versions .

CVE-2012-4534: Denial of Service(DOS) vulnerability
When using the NIO connector with sendfile and HTTPS enabled, if a
client breaks the connection while reading the response an infinite loop
is entered leading to a denial of service. Tomcat 7.0.0 to 7.0.27 and Tomcat 6.0.0 to 6.0.35 are affected .

CVE-2012-3546 : Apache Tomcat Bypass of security constraints
When using FORM authentication it was possible to bypass the security constraint checks in the FORM authenticator by appending "/j_security_check" to the end of the URL if some other component (such as the Single-Sign-On valve) had called request.setUserPrincipal() before the call to FormAuthenticator#authenticate(). Tomcat 7.0.0 to 7.0.29 and Tomcat 6.0.0 to 6.0.35 are affected .

CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter
The CSRF prevention filter could be bypassed if a request was made to a
protected resource without a session identifier present in the request. Tomcat 7.0.0 to 7.0.31 and Tomcat 6.0.0 to 6.0.35 are affected .

Users of affected versions are advised to upgrade their Tomcat with the latest versions.