- From: L. David Baron <dbaron@dbaron.org>
- Date: Wed, 29 Jun 2011 13:01:09 -0700
- To: Glenn Adams <glenn@skynav.com>
- Cc: John Daggett <jdaggett@mozilla.com>, John Hudson <tiro@tiro.com>, Vladimir Levantovsky <Vladimir.Levantovsky@monotypeimaging.com>, liam@w3.org, www-style@w3.org, public-webfonts-wg@w3.org, www-font@w3.org, Martin J. Dürst <duerst@it.aoyama.ac.jp>, Sylvain Galineau <sylvaing@microsoft.com>
On Wednesday 2011-06-29 12:39 -0600, Glenn Adams wrote: > On Wed, Jun 29, 2011 at 11:55 AM, John Daggett <jdaggett@mozilla.com> wrote: > > As background, I think it would be useful to read through a description of a > > recent WebGL security issue below. The context is slightly different but > > the issue is the same, especially what is described in the section > > "Cross-Domain Image Theft": > > > > http://www.contextis.com/resources/blog/webgl/ > > > > > i will take a look at this, but it sounds like "content protection" and DRM > scope to me just from the phrase "image theft" The general concern with cross-domain data theft is attacks like one of these (which are both examples involving images): 1) https://www.evilwebmail.com/ , which users tend to leave open in a tab for a long period of time, tries every minute to load the image https://www.popularbank.com/mybalancegraph.png , and if it does (because the user uses that bank, and has logged in to her bank, which uses only cookies to check login status), transmits the contents to evilwebmail.com's servers so that the owners of evilwebmail.com can determine which of their users' bank accounts are worth breaking into. 2) http://evilnewssite.com/ has articles on it about technology companies, and they'd like to learn company secrets. So each article, when it's loaded, tries to load the image at http://internalcompanyhost/productplan2012/diagram.png , and, if it loads (because the user is actually on the targeted internal network), transmit it back to the server. -David -- L. David Baron http://dbaron.org/ Mozilla Corporation http://www.mozilla.com/
Received on Wednesday, 29 June 2011 20:01:46 UTC