View
0
Download
0
Category
Preview:
Citation preview
WebPrivacyandAdobeLocalSharedObjects
(andotherthingsyoushouldknow)
ClintonWongclinton.defcon@gmail.com
Defcon16,August2008
Theseslidesareobsolete
• ThisisthepresentaKonincludedontheDefcon16CD.
• ChecktheDefconwebsiteforthelatestversionofthistalk.
ThisTalkIsn’tAboutAnythingNew
AccordingtohPp://en.wikipedia.org/wiki/Local_Shared_Object:
“FlashPlayer[…]doesnotasktheuser'spermissiontostoredatapermanently.ThismayconsKtuteacollecKonofcookie‐likedatathatmayincludenotonlyuser‐trackinginformaKonbutanypersonaldatathattheuserhasenteredinanyFlash‐enabledapplicaKon”
PublicServiceAnnouncement
• Thingsyoushouldknowbutprobablydon’t.• HowdoImanageLSOs?
• WhatelseshouldIdodifferently?
HTTPCookiesAreWellUnderstood
It’s2008,everyoneknowsabout“cookies”.
IETFstandards:
• HTTP/1.1:RFC2616• HTTPCookies:RFC2109
Let’stakealookatthat…
WebBrowserSendsThis…
GEThPp://www.google.com/HTTP/1.1
User‐Agent:Mozilla/5.0(Macintosh;U;IntelMacOSX10_5_3;en‐us)AppleWebKit/525.18(KHTML,likeGecko)Version/3.1.1Safari/525.20
Accept‐Encoding:gzip,deflate
Accept:text/xml,applicaKon/xml,applicaKon/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept‐Language:en‐usHost:www.google.com
ConnecKon:close
WebServerRepliesWithThis…
HTTP/1.0200OK
Cache‐Control:private,max‐age=0Date:Thu,26Jun200804:18:25GMT
Content‐Type:text/html;charset=UTF‐8Set‐Cookie:PREF=ID=a2bce[…]keepthisinmindfornextslide
domain=.google.com
Content‐Encoding:gzipServer:gws
Content‐Length:2654
…
WebBrowserSubsequentlySendsThis…
GEThPp://www.google.com/favicon.icoHTTP/1.1User‐Agent:Mozilla/5.0(Macintosh;U;IntelMacOSX10_5_3;en‐us)
AppleWebKit/525.18(KHTML,likeGecko)Version/3.1.1Safari/525.20
Referer:hPp://www.google.com/Accept:*/*Accept‐Language:en‐usAccept‐Encoding:gzip,deflate
Cookie:PREF=ID=a2bce[…]valuethatservergaveusinpreviousslideHost:www.google.comConnecKon:close
BrowsersLetYouManageCookies
Setcookieacceptance/expiraKonpolicy.E.g.,Firefox3:
BrowsersLetYouManageCookies
Clearallprivatedataupondemand:
WebProxiesCanFilterHTTPCookiesPrivoxyisafilteringwebproxy.
Flexiblefilteringrules,cookiesincluded.
Stripoutcookies,allowcookiesforcertainsites.
Seealso:hPp://privoxy.org
Adobe’sAlternateCookieSystem
• AdobeFlashusesLocalSharedObjectstokeeppersistentsessionstate,similartoHTTPcookies.
• MostallbrowsersincludetheAdobeFlashplug‐in.
• LSOsarenotclearedwhenyouclearyourHTTPCookies.
• Webbrowsersdon’tknowhowtomanagethem.
• Bydefault,they’rethereunMlyouexplicitlyclearthem.
ThisDoesn’tAffectAdobeLSOs
ThisDoesn’tManageLSOEither
CompaniesAreExploiKngThis
CompanyBypassesCookie‐DeleMngConsumersInformaKonWeekarKclebyAntoneGonsalves,3/31/05
“UnitedVirtualiKesisofferingonlinemarketersandpublisherstechnologythataPemptstounderminethegrowingtrendamongconsumerstodeletecookiesplantedintheircomputers.TheNewYorkcompanyonThursdayunveiledwhatitcallsPIE,orpersistentidenKficaKonelement,atechnologythat'suploadedtoabrowserandrestoresdeletedcookies.InaddiKon,PIE,whichcan'tbeeasilyremoved,canalsoactasacookiebackup,sinceitcontainsthesameinformaKon.”
hPp://www.informaKonweek.com/news/security/privacy/showArKcle.jhtml?arKcleID=160400801
HowDoIFixThis?
• YouactuallycanmanageLSOs.• Adobe’swebsitedescribeshow:
hPp://www.macromedia.com/support/documentaKon/en/flashplayer/help/sewngs_manager.html
• InparKcular…
SewngLSOAcceptancePolicy
VisitthisURL,whichhasaflashapp:hPp://www.macromedia.com/support/documentaKon/en/flashplayer/help/sewngs_manager03.html
ClearingLSOs
ManuallydeleteLSOsbyvisiKngthisURL:hPp://www.macromedia.com/support/documentaKon/en/flashplayer/help/sewngs_manager06.html
NotEasyToFilterLSOs
• LSOsarestoredbyFlashbrowserplug‐in.• Protocolformatbetweenplug‐inapplicaKonandserverisproprietary.
• Let’stakealook.
LoggingInWithAFlashApp
POSThPp://[…]/xmlrpc/[…]HTTP/1.1
User‐Agent:Mozilla/5.0(Macintosh;U;IntelMacOSX10_5_3;en‐us)AppleWebKit/525.18(KHTML,likeGecko)Version/3.1.1Safari/525.20
Content‐Type:text/xml
Referer:hPp://[…]/
Accept:*/*
Accept‐Language:en‐us
Accept‐Encoding:gzip,deflate
Cookie:[…]
Content‐Length:480
Host:[…]ConnecKon:close
aeab4a7053[…]proprietaryencoding,maycontainLSOdata
ResponseFromServer
HTTP/1.0200OKDate:Fri,27Jun200802:49:05GMT
Server:JePy/5.1.14(Linux/2.6.18‐6‐amd64amd64java/1.5.0_14)
Content‐Type:text/xmlContent‐Length:7164
<?xmlversion="1.0"encoding="UTF‐8”?>[…]
• Proprietarycontent;noteasytofilter.Thereisn’taclean,clear“Cookie”headerthatPrivoxycanlookfor.
OtherPublicServiceAnnouncements
Okay,IcanmanageAdobeLSOs.WhatelseshouldIwatchoutfor?
What’swronghere?(AsofJune2008)
Hint
FromhPp://www.wamu.com/personal/default.asp:
<formacKon="hPps://online.wamu.com/[...]"method="post">
...
<inputclass="usernamefield"type="text"[...]>
<inputclass="passwordfield"type="password"[...]>
…</form>
LoginPagesNeedSSLToo!• HTMLFormsubmitstoHTTPSURL,but…• GewngtheloginpageoverHTTP(notHTTPS)doesn’tguaranteeanythingabouttheintegrityoftheloginpage.
• Itcouldhavebeen:<formacKon="hPps://IllegalHackerSite.com/[...]"method="post">
• Seealso:“CriMcalMistake#1:Non‐HTTPSLoginpage”
hPp://blogs.msdn.com/ie/archive/2005/04/20/410240.aspx
What’sWrongWithThis?(June2008)
HTTPCookieSentWithoutEncrypKon
• Onprivatetrustednetworks,that’snotabigdeal.• ButonpublicWi‐Finetworks,everyonecanseeitandimpersonateyou!
Seealso:
• RobertGraham’stalkatBlackHat2007,“Web2.0Hijacking”.
• hPp://en.wikipedia.org/wiki/Sidejacking
SuggestedFix
ForGoogleMail:usehWps://gmail.google.com
nothPp://gmail.google.comYourenKresessionwillbeSSLencrypteda}erlogin.
Yahoo,Hotmail:NoknownsoluKon(thatIknowof).
EmailmeifyouknowasoluKonforthis.
Summary
• ManageyourFlashLSOsewngs.• Don’tusealoginpageiftheURLis“hPp”insteadof“hPps”.
• UseemailservicesthatofferSSLforalltraffic.
Recommended