WebPrivacyandAdobeLocalSharedObjects

(andotherthingsyoushouldknow)

ClintonWongclinton.defcon@gmail.com

Defcon16,August2008

Theseslidesareobsolete

•  ThisisthepresentaKonincludedontheDefcon16CD.

•  ChecktheDefconwebsiteforthelatestversionofthistalk.

ThisTalkIsn’tAboutAnythingNew

AccordingtohPp://en.wikipedia.org/wiki/Local_Shared_Object:

“FlashPlayer[…]doesnotasktheuser'spermissiontostoredatapermanently.ThismayconsKtuteacollecKonofcookie‐likedatathatmayincludenotonlyuser‐trackinginformaKonbutanypersonaldatathattheuserhasenteredinanyFlash‐enabledapplicaKon”

PublicServiceAnnouncement

•  Thingsyoushouldknowbutprobablydon’t.•  HowdoImanageLSOs?

• WhatelseshouldIdodifferently?

HTTPCookiesAreWellUnderstood

It’s2008,everyoneknowsabout“cookies”.

IETFstandards:

•  HTTP/1.1:RFC2616•  HTTPCookies:RFC2109

Let’stakealookatthat…

WebBrowserSendsThis…

GEThPp://www.google.com/HTTP/1.1

User‐Agent:Mozilla/5.0(Macintosh;U;IntelMacOSX10_5_3;en‐us)AppleWebKit/525.18(KHTML,likeGecko)Version/3.1.1Safari/525.20

Accept‐Encoding:gzip,deflate

Accept:text/xml,applicaKon/xml,applicaKon/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept‐Language:en‐usHost:www.google.com

ConnecKon:close

WebServerRepliesWithThis…

HTTP/1.0200OK

Cache‐Control:private,max‐age=0Date:Thu,26Jun200804:18:25GMT

Content‐Type:text/html;charset=UTF‐8Set‐Cookie:PREF=ID=a2bce[…]keepthisinmindfornextslide

domain=.google.com

Content‐Encoding:gzipServer:gws

Content‐Length:2654

…

WebBrowserSubsequentlySendsThis…

GEThPp://www.google.com/favicon.icoHTTP/1.1User‐Agent:Mozilla/5.0(Macintosh;U;IntelMacOSX10_5_3;en‐us)

AppleWebKit/525.18(KHTML,likeGecko)Version/3.1.1Safari/525.20

Referer:hPp://www.google.com/Accept:*/*Accept‐Language:en‐usAccept‐Encoding:gzip,deflate

Cookie:PREF=ID=a2bce[…]valuethatservergaveusinpreviousslideHost:www.google.comConnecKon:close

BrowsersLetYouManageCookies

Setcookieacceptance/expiraKonpolicy.E.g.,Firefox3:

BrowsersLetYouManageCookies

Clearallprivatedataupondemand:

WebProxiesCanFilterHTTPCookiesPrivoxyisafilteringwebproxy.

Flexiblefilteringrules,cookiesincluded.

Stripoutcookies,allowcookiesforcertainsites.

Seealso:hPp://privoxy.org

Adobe’sAlternateCookieSystem

•  AdobeFlashusesLocalSharedObjectstokeeppersistentsessionstate,similartoHTTPcookies.

• MostallbrowsersincludetheAdobeFlashplug‐in.

•  LSOsarenotclearedwhenyouclearyourHTTPCookies.

• Webbrowsersdon’tknowhowtomanagethem.

•  Bydefault,they’rethereunMlyouexplicitlyclearthem.

ThisDoesn’tAffectAdobeLSOs

ThisDoesn’tManageLSOEither

CompaniesAreExploiKngThis

CompanyBypassesCookie‐DeleMngConsumersInformaKonWeekarKclebyAntoneGonsalves,3/31/05

“UnitedVirtualiKesisofferingonlinemarketersandpublisherstechnologythataPemptstounderminethegrowingtrendamongconsumerstodeletecookiesplantedintheircomputers.TheNewYorkcompanyonThursdayunveiledwhatitcallsPIE,orpersistentidenKficaKonelement,atechnologythat'suploadedtoabrowserandrestoresdeletedcookies.InaddiKon,PIE,whichcan'tbeeasilyremoved,canalsoactasacookiebackup,sinceitcontainsthesameinformaKon.”

hPp://www.informaKonweek.com/news/security/privacy/showArKcle.jhtml?arKcleID=160400801

HowDoIFixThis?

•  YouactuallycanmanageLSOs.•  Adobe’swebsitedescribeshow:

hPp://www.macromedia.com/support/documentaKon/en/flashplayer/help/sewngs_manager.html

•  InparKcular…

SewngLSOAcceptancePolicy

VisitthisURL,whichhasaflashapp:hPp://www.macromedia.com/support/documentaKon/en/flashplayer/help/sewngs_manager03.html

ClearingLSOs

ManuallydeleteLSOsbyvisiKngthisURL:hPp://www.macromedia.com/support/documentaKon/en/flashplayer/help/sewngs_manager06.html

NotEasyToFilterLSOs

•  LSOsarestoredbyFlashbrowserplug‐in.•  Protocolformatbetweenplug‐inapplicaKonandserverisproprietary.

•  Let’stakealook.

LoggingInWithAFlashApp

POSThPp://[…]/xmlrpc/[…]HTTP/1.1

User‐Agent:Mozilla/5.0(Macintosh;U;IntelMacOSX10_5_3;en‐us)AppleWebKit/525.18(KHTML,likeGecko)Version/3.1.1Safari/525.20

Content‐Type:text/xml

Referer:hPp://[…]/

Accept:*/*

Accept‐Language:en‐us

Accept‐Encoding:gzip,deflate

Cookie:[…]

Content‐Length:480

Host:[…]ConnecKon:close

aeab4a7053[…]proprietaryencoding,maycontainLSOdata

ResponseFromServer

HTTP/1.0200OKDate:Fri,27Jun200802:49:05GMT

Server:JePy/5.1.14(Linux/2.6.18‐6‐amd64amd64java/1.5.0_14)

Content‐Type:text/xmlContent‐Length:7164

<?xmlversion="1.0"encoding="UTF‐8”?>[…]

•  Proprietarycontent;noteasytofilter.Thereisn’taclean,clear“Cookie”headerthatPrivoxycanlookfor.

OtherPublicServiceAnnouncements

Okay,IcanmanageAdobeLSOs.WhatelseshouldIwatchoutfor?

What’swronghere?(AsofJune2008)

Hint

FromhPp://www.wamu.com/personal/default.asp:

<formacKon="hPps://online.wamu.com/[...]"method="post">

...

<inputclass="usernamefield"type="text"[...]>

<inputclass="passwordfield"type="password"[...]>

…</form>

LoginPagesNeedSSLToo!•  HTMLFormsubmitstoHTTPSURL,but…•  GewngtheloginpageoverHTTP(notHTTPS)doesn’tguaranteeanythingabouttheintegrityoftheloginpage.

•  Itcouldhavebeen:<formacKon="hPps://IllegalHackerSite.com/[...]"method="post">

•  Seealso:“CriMcalMistake#1:Non‐HTTPSLoginpage”

hPp://blogs.msdn.com/ie/archive/2005/04/20/410240.aspx

What’sWrongWithThis?(June2008)

HTTPCookieSentWithoutEncrypKon

•  Onprivatetrustednetworks,that’snotabigdeal.•  ButonpublicWi‐Finetworks,everyonecanseeitandimpersonateyou!

Seealso:

•  RobertGraham’stalkatBlackHat2007,“Web2.0Hijacking”.

•  hPp://en.wikipedia.org/wiki/Sidejacking

SuggestedFix

ForGoogleMail:usehWps://gmail.google.com

nothPp://gmail.google.comYourenKresessionwillbeSSLencrypteda}erlogin.

Yahoo,Hotmail:NoknownsoluKon(thatIknowof).

EmailmeifyouknowasoluKonforthis.

Summary

• ManageyourFlashLSOsewngs.•  Don’tusealoginpageiftheURLis“hPp”insteadof“hPps”.

•  UseemailservicesthatofferSSLforalltraffic.