[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Some more widgets: Facebook, Hockey, FlickrInterestingNess (Re: [MacOS X] Insecure eval() in Twitgit and Twitterlex dashboard widgets)



This is a follow-up to [0] and [1].

Last night, I wrote:

> It would probably be an interesting exercise to go through some more
> dashboard widgets and grep for eval. I'd bet quite a bit that
> there's much more out there.

- The (top-50) facebook widget [2] uses the AllowFullAccess
  configuration option, which effectively means what it says.
  
  This widget also uses JSON to access numerous facebook functions,
  and eval() to parse the results.  Most of facebook's API is
  accessed through plain HTTP, of course, so the discussion in [0]
  and [1] fully applies.  It might be interesting to see whether one
  of the facebook JSON APIs is susceptible to cross-site-scripting
  attacks.
  
  The vulnerability is actually imported from the facebook API
  JavaScript library [7], and will affect any other JavaScript code
  that relies on that library.

The following two are somewhat more shy with respect to the holes
they blow into the dashboard's JavaScript sandbox, and therefore a
bit less interesting:

- The Hockey widget [3], currently presented as an Apple Staff Pick
  on [4], performs a lot of screen -- or rather, script -- scraping.
  Here's a little gem:

        var xmlResponse = xmlRequest.responseText;
        xmlResponse = xmlResponse.replace(/[\n\r]/g,"");
        var NHLatl = null;
        var gameData = xmlResponse.match(/script[^<]*var 
NHLatl.*?<\/script>/)[0].replace(/.*?var 
/,"").replace(/,\s*myScoresIcon.*/,"}");
        eval(gameData);

  So, for a change, the threat is not due to JSON, but due to the
  use of eval to extract data from JavaScript embedded with some Web
  page out there.
   
  The privileges gaied with this one are a bit boring, as it's only
  the ability to go out on the network.  But wait for the day on
  which AllowSystem is added in order to get Growl notifications of
  recent results!

- The Flickr Interestingness widget [5] (unfortunately, these folks
  don't give a contact e-mail address) uses JSON with eval to check
  for the availability of upgrades, and to fetch data from the
  flickr API.
  
  This widget comes with the AllowInternetPlugins privilege, and is
  therefore another vector through which one could exercise, say,
  the latest QuickTime vulnerability. [6]

0. 
http://log.does-not-exist.org/archives/2007/12/03/2155_json_eval_owning_the_dashboard.html
1. http://www.securityfocus.com/archive/1/484542/30/0/threaded
2. http://www.apple.com/downloads/dashboard/email_messaging/facebookwidget.html
3. http://www.apple.com/downloads/dashboard/sports/hockeywidget.html
4. http://www.apple.com/downloads/dashboard/
5. 
http://www.apple.com/downloads/dashboard/blogs_forums/flickrinterestingness.html
6. http://www.securityfocus.com/bid/26549
7. http://developersdigest.org/wordpress/?page_id=4

Cheers,
-- 
Thomas Roessler, W3C  <tlr@xxxxxx>