BBC, Facebook steer users to vuln-afflicted Unity Web Player plugin
Finnish security researcher sounds the alarm, gets no joy
Updated A vulnerability has been found in the Unity Web Player plugin, which could allow an attacker to access any website with the credentials of the plug-in's user.
The vulnerability could pass on private messages sent over Facebook and Gmail, or, if exploited on the Internet Explorer browser, it could even read local files from the target user's hard disk.
The vulnerability was disclosed in an advisory by Finnish zero-day hunters Klikki Oy's Jouko Pynnönen.
Pynnönen, who has a sharp eye for cross-site and cross-domain security problems, notes that Facebook actively endorses the plug-in, and The Register has found that the BBC's CBeebies site also requires its use.
Detailing the vuln, Pynnönen explained that the plug-in mostly functions quite normally. Applications running on a website that the user has visited are only able to access resources (URLs) belonging to the same domains – it may not access other websites nor may it access the local file system.
The researcher stated how a "specially formatted URL in an HTTP redirection can be used to bypass these restrictions".
A malicious app loaded from "http://x:firstname.lastname@example.org" could access an URL from eg. "http://x:email@example.com/redirector" which could return a HTTP redirect status code (301, 302, 307) and a Location: header pointing at "http://x:firstname.lastname@example.org/".
While this redirect should be denied, as it points to a different domain, Unity Web Player evaluates the domain on the user:password part of the URL which, of course, will be identical to both addresses ("x:y").
Figures on the public relations section of the site claims Unity has 600m users. This figure includes not only the web-players users, but also those on PC, Mac, mobile and consoles. As a matter of users affected, the company estimated it had more than 200m installs in 2013.
Pynnönen offered a video demonstration of the exploit:
Pynnönen claimed: "Attempts to contact Unity Technologies by email and web contact form were made in December 2014. We also submitted two bug reports using Unity's bug reporting tool on February 1 and April 13 2015. There has been no response."
An update to the advisory reveals Unity Technologies only responded to the issue the day after the disclosure was published.
A member of the Unity team told The Register that a fix would be released today. We have asked for more information, including clarification on the delayed response to Pynnönen's claims of previous attempts to contact them, and will update this article when we receive a response. ®
Although we haven't received a response from Unity, a new version, 4.6.6, has been released which fixes the issue for those who update the plug-in.