Re: Widget Security

On 2007-12-05 09:44:29 +0100, Thomas Roessler wrote:

> - Widgets are susceptible to a client-side equivalent of
>   cross-site-scripting attacks: If data retrieved from the network
>   is written to the widget DOM in a way that can cause the
>   uncrontolled creation of elements, then an attacker can once again
>   take over the widget.
>   
>   Techniques such as writing to the document using the
>   Document.write() method or the (not-standard) innerHTML property
>   are particularly risky.  These should not be used; instead, text
>   nodes can be created more safely using, e.g., the
>   Document.createTextNode() method.
> 
>   Code insertion attacks are also possible when creating attributes;
>   it is good practice to *not* use data retrieved from the user or
>   (more importantly) the network when, e.g., constructing event
>   handlers for an attribute that's dynamically written.
> 
>   Note that, if widgets run with privileges beyond the traditional
>   browser sandbox, the results of this attack vector be severe
>   enough to be a convenient vector for causing a system compromise.
> 
> The last point is incredibly important (and *very* easy to get wrong
> when programming in a certain style); I'm currently waiting for a
> major vendor to fix a bug like this in one of their widgets, and
> will then have a juicy example to talk about.

The juicy example that I had in mind back then was the Google Mail
dashboard widget, which could be abused to cause execution of a
shell script by just sending an appropriate e-mail

Update announcement:
  http://googlemac.blogspot.com/2007/12/mac-os-x-dashboard-widget-security.html

Technical details:
  http://log.does-not-exist.org/archives/2007/12/19/2159_more_on_widgets_when_one_email_is_enough_to_break_a_system.html

Happy holidays,
-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Thursday, 20 December 2007 23:45:57 UTC