Hayak has demonstrated the Same Origin Method Execution (SOME) technique against Google+, gaining access to users’ photos and videos just tricking the victims into click on a malicious link.
In the specific case the Same Origin Method Execution attack could be exploited to steal all personal images and videos of G+ users, a dangerous circumstance if we thing in the recent case of Fappening with celebrity’ s iCloud accounts.
Let’s image that users take some photos with their mobile that that the images are then automatically backed up via Google’s “Auto Backup” feature to a private location on Google+, the Same Origin Method Execution (SOME) technique allows the attacker to select all the photos from the target’s Google+ account and send them to his own server simply by getting the victim to click on a link.
The Same Origin Policy is a pillar of web application security model which is used to regulate the interaction between unrelated websites and third-party services.
The data transfer is allowed because web browsers don’t enforce SOP on <script> tags, but JSONP can also be abused if not correctly implemented. Hayak explained that manipulating the JSONP callback parameter, it is possible to execute arbitrary methods on the vulnerable website.
When the victim clicks on the malicious link, a the malicious code is executed in a new window. The new window is quickly opened and it’s executed once the method is executed, it is typically impossible for the victim to understand what it is happening. The technique could be also improved opening a legitimate web page once the Same Origin Method Execution is completed, in this way the attacker avoids suspicious of the victim.
Which are the methods that can be executed with the Same Origin Method Execution (SOME) technique?
It depends on the specific website attacked, for example, in the case of Google+, the attacker could first select the images on the victim’s account and then send them to his recipient.
During its presentation, the researcher has successfully tested the attack on Google+, but as explained by Hayak many other websites are also vulnerable, including web services of financial institutions.
The researcher has already reported to Google the security issues, and the company after two months patched it, just before the Black Hat conference. Google also rewarded the researcher with $3,133.7 for his findings.
Techniques implemented to prevent cross-site reference forgery (CSRF) and Cross-site scripting (XSS) don’t work as protection measure against Same Origin Method Execution attack, the researcher also explained that Frame busting is inefficient.
Hayak expained that actually there are only three ways to protect websites using JSONP against such attacks:
Let’s wait for the detailed research paper on SOME attacks that will be published in the next months.
(Security Affairs – Same Origin Method Execution, hacking)