[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Some more widgets: Facebook, Hockey, FlickrInterestingNess (Re: [MacOS X] Insecure eval() in Twitgit and Twitterlex dashboard widgets)
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Some more widgets: Facebook, Hockey, FlickrInterestingNess (Re: [MacOS X] Insecure eval() in Twitgit and Twitterlex dashboard widgets)
- From: Thomas Roessler <tlr@xxxxxx>
- Date: Tue, 4 Dec 2007 17:35:40 +0100
This is a follow-up to [0] and [1].
Last night, I wrote:
> It would probably be an interesting exercise to go through some more
> dashboard widgets and grep for eval. I'd bet quite a bit that
> there's much more out there.
- The (top-50) facebook widget [2] uses the AllowFullAccess
configuration option, which effectively means what it says.
This widget also uses JSON to access numerous facebook functions,
and eval() to parse the results. Most of facebook's API is
accessed through plain HTTP, of course, so the discussion in [0]
and [1] fully applies. It might be interesting to see whether one
of the facebook JSON APIs is susceptible to cross-site-scripting
attacks.
The vulnerability is actually imported from the facebook API
JavaScript library [7], and will affect any other JavaScript code
that relies on that library.
The following two are somewhat more shy with respect to the holes
they blow into the dashboard's JavaScript sandbox, and therefore a
bit less interesting:
- The Hockey widget [3], currently presented as an Apple Staff Pick
on [4], performs a lot of screen -- or rather, script -- scraping.
Here's a little gem:
var xmlResponse = xmlRequest.responseText;
xmlResponse = xmlResponse.replace(/[\n\r]/g,"");
var NHLatl = null;
var gameData = xmlResponse.match(/script[^<]*var
NHLatl.*?<\/script>/)[0].replace(/.*?var
/,"").replace(/,\s*myScoresIcon.*/,"}");
eval(gameData);
So, for a change, the threat is not due to JSON, but due to the
use of eval to extract data from JavaScript embedded with some Web
page out there.
The privileges gaied with this one are a bit boring, as it's only
the ability to go out on the network. But wait for the day on
which AllowSystem is added in order to get Growl notifications of
recent results!
- The Flickr Interestingness widget [5] (unfortunately, these folks
don't give a contact e-mail address) uses JSON with eval to check
for the availability of upgrades, and to fetch data from the
flickr API.
This widget comes with the AllowInternetPlugins privilege, and is
therefore another vector through which one could exercise, say,
the latest QuickTime vulnerability. [6]
0.
http://log.does-not-exist.org/archives/2007/12/03/2155_json_eval_owning_the_dashboard.html
1. http://www.securityfocus.com/archive/1/484542/30/0/threaded
2. http://www.apple.com/downloads/dashboard/email_messaging/facebookwidget.html
3. http://www.apple.com/downloads/dashboard/sports/hockeywidget.html
4. http://www.apple.com/downloads/dashboard/
5.
http://www.apple.com/downloads/dashboard/blogs_forums/flickrinterestingness.html
6. http://www.securityfocus.com/bid/26549
7. http://developersdigest.org/wordpress/?page_id=4
Cheers,
--
Thomas Roessler, W3C <tlr@xxxxxx>