Same Origin Method Execution attack to perform unintended actions on a website on behalf of victims

Pierluigi Paganini October 17, 2014

A researcher presented a new attack method dubbed Same Origin Method Execution which could be exploited to impersonate the targeted user on many websites.

Same Origin Method Execution (SOME) is a new technique of attack against website presented by Ben Hayak, researcher at Trustwave, at Black Hat Europe in Amsterdam. The Same Origin Method Execution (SOME) attack method is related to JavaScript Object Notation with padding (JSONP) implementation, it allows a bad actor to impersonate the targeted user, and most concerning aspect of the attack is that the there is no need for user interaction if malicious code is served through a classic malvertising campaign. Be aware, if a domain is vulnerable to the attack, all its pages will result vulnerable.

“Same Origin Method Execution” is a new technique that abuses JSONP in order to perform a limitless number of unintended actions on a website on behalf of users, by assembling a malicious set of timed frames and/or windows. Despite the similarity to click-jacking, this attack is not UI related nor it is confined in terms of user interaction, browser brand, HTTP X-FRAME-OPTIONS/Other response headers or a particular webpage, in fact, when a webpage found vulnerable to “SOME”, the entire domain becomes vulnerable. During this talk, I intend to demonstrate how JSONP opens a backdoor, even in the most protected domains, to a very powerful attack that can cause severe damage without any user-interaction. Ben Hayak” is the presentation of speech published on the BlackHat Europo Website.

Hayak has demonstrated the Same Origin Method Execution (SOME) technique against Google+, gaining access to users’ photos and videos just tricking the victims into click on a malicious link.

Ben Hayak Same Origin Method Execution SOME Attack

In the specific case the Same Origin Method Execution attack could be exploited to steal all personal images and videos of G+ users, a dangerous circumstance if we thing in the recent case of Fappening with celebrity’ s  iCloud accounts.

Let’s image that users take some photos with their mobile that that the images are then automatically backed up via Google’s “Auto Backup” feature to a private location on Google+, the Same Origin Method Execution (SOME) technique allows the attacker to select all the photos from the target’s Google+ account and send them to his own server simply by getting the victim to click on a link.

The Same Origin Policy is a pillar of web application security model which is used to regulate the interaction between unrelated websites and third-party services.

In some cases, developers need to bypass SOP, this is the case, for example, when two web services exchange information like the visitors’ location, in these scenario developers can use JSONP, which is a is a communication technique used in JavaScript programs running in web browsers to request data from a server in a different domain.

The data transfer is allowed because web browsers don’t enforce SOP on <script> tags, but JSONP can also be abused if not correctly implemented. Hayak explained that manipulating the JSONP callback parameter, it is possible to execute arbitrary methods on the vulnerable website.

When the victim clicks on the malicious link, a the malicious code is executed in a new window. The new window is quickly opened and it’s executed once the method is executed, it is typically impossible for the victim to understand what it is happening. The technique could be also improved opening a legitimate web page once the Same Origin Method Execution is completed, in this way the attacker avoids suspicious of the victim.

Which are the methods that can be executed with the  Same Origin Method Execution (SOME) technique?

It depends on the specific website attacked, for example, in the case of Google+, the attacker could first select the images on the victim’s account and then send them to his recipient.

During its presentation, the researcher has successfully tested the attack on Google+, but as explained by Hayak many other websites are also vulnerable, including web services of financial institutions.

The researcher has already reported to Google the security issues, and the company after two months patched it, just before the Black Hat conference. Google also rewarded the researcher with $3,133.7 for his findings.

Techniques implemented to prevent cross-site reference forgery (CSRF) and Cross-site scripting (XSS) don’t work as protection measure against Same Origin Method Execution attack, the researcher also explained that Frame busting is inefficient.

Hayak expained that actually there are only three ways to protect websites using JSONP against such attacks:

  • Use a static function name for callbacks.
  • Whitelist callbacks on the server side.
  • Registering callbacks.

Let’s wait for the detailed research paper on SOME attacks that will be published in the next months.

Pierluigi Paganini

(Security Affairs –  Same Origin Method Execution, hacking)

you might also like

leave a comment