Feeds

SafeWeb holes emerge, said fixed

Javascript again....

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

Late last week Boston University's David Martin and the Privacy Foundation's Andrew Schulman released a report demonstrating the ease with which the SafeWeb proxy could be defeated with Javascript. SafeWeb no longer offers its free anonymous Web proxy, but it is licenced to PrivaSec, which is offering the service.

It's possible, the researchers found, to learn more about a SafeWeb user's browsing history than that of an ordinary Netizen.

The first problem is the way SafeWeb handles Javascript. Rather than disable it, which leads to irritating problems with Web-site functionality, the service uses a re-write engine which strives to render potentially revealing statements harmless. This is done with two modes, 'recommended' and 'paranoid', between which which the user can choose.

Both modes, the researchers discovered, can be subverted rather easily, and in 'recommended' mode, "a one-line JavaScript statement is enough to cause a SafeWeb user’s Web browser to deliver its real IP address to the attacker."

But wait, there's more. In order to maintain a user's pseudonymous identity, SafeWeb uses a 'master cookie' which, if kept independent of the user's own cookies, ought to provide a layer of pseudonymity.

While a Web site can't deposit its usual cookie on a user's machine during a SafeWeb session, the master cookie does accumulate a history of the user's browsing during the session -- a record of all the cookies he's been fed. This is fine so long as the site can't associate that data with the user, or access the cookie and alter its properties.

Unfortunately, the master cookie can be attacked, and a lot can be done besides reading it. It's possible to alter it, and in so doing downgrade a person's preferred mode from paranoid to recommended, for example, or to enable Java applets against the user's will.

This also has unpleasant implications for SafeWeb's goal of providing anonymity to surfers in neurotic countries like China and Saudi Arabia, where access to information is controlled by a malevolent government, and curiosity can result in a jail sencence.

"By obtaining SafeWeb master cookies or session transcripts with our attacks, the censors have increased leverage: they learn not only who uses SafeWeb, but they also learn which sites the users wanted to secretly visit. Inspecting the cookie values might reveal identification numbers possibly keyed to memberships, subscriptions, commercial transactions, or even authentication codes."

Another serious problem is cross-frame access. The system uses frames, and normally it's impossible for Javascript to gain access to two or more frames from different domains. But because of the way a SafeWeb session attempts anonymity, the two frames originate from the same domain, rendering this irrelevant.

"It is clear that the SafeWeb architecture requires cross-frame access in JavaScript," the researchers say. [emphasis original]

Even in paranoid mode, where Javascript is restricted as much as possible, successful attacks have been documented. The authors say, and rightly so, that this comes from allowing statements not known to be dangerous, rather than denying all not known to be safe.

Thus there are a number of ways besides Javascript by which a Web site can 'reach' a surfer through a SafeWeb session.

For example, "Seemingly-simple HTML statements can induce the browser to launch plug-ins or child processes that bypass the anonymizer. For example, a computer with Adobe Acrobat installed will display PDF files directly within Internet Explorer. But SafeWeb doesn’t sanitize PDF files. So when a user clicks on a URL displayed within a PDF file, Acrobat will directly contact the named host, violating anonymity. Microsoft Office documents can leak information in the same way."

SafeWeb has since developed a patch and made it available to PrivaSec and their other licensees. The patch deals with Javascript, and basically allows it to be turned off while enabling the surfer to enjoy reasonable functionality. But it doesn't address the issue of launching documents such as Acrobat and Word in a browser session. So until we hear more, fetching documents is a definite no-no for the paranoid, and the oppressed. ®

Related Stories

SafeWeb ain't all that
Do-it-yourself Internet anonymity
Internet anonymity for Windows power users
Windows hack for Web-surfing privacy

Mobile application security vulnerability report

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.