Categories: HackingSecurity

Same Origin Method Execution attack to perform unintended actions on a website on behalf of victims

A researcher presented a new attack method dubbed Same Origin Method Execution which could be exploited to impersonate the targeted user on many websites.

Same Origin Method Execution (SOME) is a new technique of attack against website presented by Ben Hayak, researcher at Trustwave, at Black Hat Europe in Amsterdam. The Same Origin Method Execution (SOME) attack method is related to JavaScript Object Notation with padding (JSONP) implementation, it allows a bad actor to impersonate the targeted user, and most concerning aspect of the attack is that the there is no need for user interaction if malicious code is served through a classic malvertising campaign. Be aware, if a domain is vulnerable to the attack, all its pages will result vulnerable.

“Same Origin Method Execution” is a new technique that abuses JSONP in order to perform a limitless number of unintended actions on a website on behalf of users, by assembling a malicious set of timed frames and/or windows. Despite the similarity to click-jacking, this attack is not UI related nor it is confined in terms of user interaction, browser brand, HTTP X-FRAME-OPTIONS/Other response headers or a particular webpage, in fact, when a webpage found vulnerable to “SOME”, the entire domain becomes vulnerable. During this talk, I intend to demonstrate how JSONP opens a backdoor, even in the most protected domains, to a very powerful attack that can cause severe damage without any user-interaction. Ben Hayak” is the presentation of speech published on the BlackHat Europo Website.

Hayak has demonstrated the Same Origin Method Execution (SOME) technique against Google+, gaining access to users’ photos and videos just tricking the victims into click on a malicious link.

In the specific case the Same Origin Method Execution attack could be exploited to steal all personal images and videos of G+ users, a dangerous circumstance if we thing in the recent case of Fappening with celebrity’ s  iCloud accounts.

Let’s image that users take some photos with their mobile that that the images are then automatically backed up via Google’s “Auto Backup” feature to a private location on Google+, the Same Origin Method Execution (SOME) technique allows the attacker to select all the photos from the target’s Google+ account and send them to his own server simply by getting the victim to click on a link.

The Same Origin Policy is a pillar of web application security model which is used to regulate the interaction between unrelated websites and third-party services.

In some cases, developers need to bypass SOP, this is the case, for example, when two web services exchange information like the visitors’ location, in these scenario developers can use JSONP, which is a is a communication technique used in JavaScript programs running in web browsers to request data from a server in a different domain.

The data transfer is allowed because web browsers don’t enforce SOP on <script> tags, but JSONP can also be abused if not correctly implemented. Hayak explained that manipulating the JSONP callback parameter, it is possible to execute arbitrary methods on the vulnerable website.

When the victim clicks on the malicious link, a the malicious code is executed in a new window. The new window is quickly opened and it’s executed once the method is executed, it is typically impossible for the victim to understand what it is happening. The technique could be also improved opening a legitimate web page once the Same Origin Method Execution is completed, in this way the attacker avoids suspicious of the victim.

Which are the methods that can be executed with the  Same Origin Method Execution (SOME) technique?

It depends on the specific website attacked, for example, in the case of Google+, the attacker could first select the images on the victim’s account and then send them to his recipient.

During its presentation, the researcher has successfully tested the attack on Google+, but as explained by Hayak many other websites are also vulnerable, including web services of financial institutions.

The researcher has already reported to Google the security issues, and the company after two months patched it, just before the Black Hat conference. Google also rewarded the researcher with $3,133.7 for his findings.

Techniques implemented to prevent cross-site reference forgery (CSRF) and Cross-site scripting (XSS) don’t work as protection measure against Same Origin Method Execution attack, the researcher also explained that Frame busting is inefficient.

Hayak expained that actually there are only three ways to protect websites using JSONP against such attacks:

  • Use a static function name for callbacks.
  • Whitelist callbacks on the server side.
  • Registering callbacks.

Let’s wait for the detailed research paper on SOME attacks that will be published in the next months.

Pierluigi Paganini

(Security Affairs –  Same Origin Method Execution, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

7 mins ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

7 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

18 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

22 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.