Re: [fwd] [MacOS X] Insecure eval() in Twitgit and Twitterlex dashboard widgets (from: tlr@w3.org) from Marcos Caceres on 2007-12-04 (public-appformats@w3.org from December 2007)

From: Marcos Caceres <marcosscaceres@gmail.com>
Date: Tue, 4 Dec 2007 14:17:01 +1000
To: public-appformats@w3.org
Message-ID: <b21a10670712032017i52599a35nde2b46ad6c758f5@mail.gmail.com>

I guess one thing we don't need to worry about at the moment is
concerning ourselves with the widget.system() API, as we currently
don't spec it ( should we?:) ).... And I'm not sure what we can do
with regards to eval() as I gather that is a problem for the web at
large....

Kind regards,
Marcos


On Dec 4, 2007 9:07 AM, Thomas Roessler <tlr@w3.org> wrote:
>
> FYI, an incidental observation of security holes introduced by some
> real-life widgets.  I was particularly amazed to see that the two
> available free widgets for that particular functionality were making
> the same (rather severe) mistake.
>
> Regards,
> --
> Thomas Roessler, W3C  <tlr@w3.org>
>
>
>
>
>
> ----- Forwarded message from Thomas Roessler <tlr@w3.org> -----
>
> From: Thomas Roessler <tlr@w3.org>
> To: bugtraq@securityfocus.com
> Cc: brett@webfroot.co.nz, mail@ben-ward.co.uk
> Date: Tue, 4 Dec 2007 00:04:57 +0100
> Subject: [MacOS X] Insecure eval() in Twitgit and Twitterlex dashboard
>         widgets
>
> Twitgit [1] and Twitterlex [2] are two MacOS X Dashboard widgets
> (developed in JavaScript) that can be used to display twitter.com
> updates.
>
> Both regularly retrieve data using the Twitter JSON API and parse
> whatever is returned with eval().  Both relax the dashboard's
> JavaScript sandbox to enable the widget.system() call, which indeed
> amounts to the equivalent of system(3); i.e., if an attacker can
> take over the widget, the attacker can take over the user's account
> (and, quite often, the system).
>
> The data are retrieved through plain HTTP. Therefore, these widgets
> are vulnerable to at least:
>
> - cross-site-scripting attacks through Twitter
> - subversion of Twitter and, in the case of Twitterlex, also
>   subversion of a server used for update notifications
> - man-in-the-middle attacks against local networks
>
> (Also, deliberately malicious behavior by either Twitter or the
> author of at least Twitterlex is a risk from a security perspective;
> if one was to assume malice, then Twitterlex could be classified as
> a nifty backdoor.)
>
> What makes this case particularly interesting is that this is a case
> in which -- along with the development platform, JavaScrit -- the
> borders between Web and local vulnerabilities get increasingly blurry.
>
> It would probably be an interesting exercise to go through some more
> dashboard widgets and grep for eval. I'd bet quite a bit that
> there's much more out there.
>
> 1. http://inner.geek.nz/projects/twitterlex/
> 2. http://ben-ward.co.uk/widgets/twitgit/
>
> Regards,
> --
> Thomas Roessler, W3C  <tlr@w3.org>
>
>
>
> ----- End forwarded message -----
>
>



-- 
Marcos Caceres
http://datadriven.com.au

Received on Tuesday, 4 December 2007 04:17:16 UTC