Wednesday, September 10, 2008

Google Chrome, s3mp, and security

Seeing that Chrome was just released, I decided to make sure it works with s3mp, and I'm pleased to say that it does (see screenshot). That said, when playing with s3mp in Incognito mode, I found a disturbing security hole that allows "cookies" to not only be retained between Incognito sessions, but leak from a regular session to Incognito.

I said cookies, but I meant Flash SharedObjects. They're basically a way for Flash applets to store information locally (s3mp uses them to store "Local Settings"). Unlike cookies, Chrome doesn't flush these from Incognito mode or sandbox them.

Aside: Adobe has a knowledge base entry on how to manage and disable shared objects.

I made a proof-of-concept that logs what web pages the user visits using a Flash SharedObject to escape the Incognito sandbox.
Using it's easy; go to the main page, then some random combination of Chrom'd pages (page 1, page 2, etc.), then back to the main page, and the main page will display the history. The "Clear" button removes the cookie from your computer.

To break out of Incognito mode, go to the Chrom'd main page in an Incognito session. Browse a few pages, then close the session (or all of Chrome). Browse to the Chrom'd main page, again, and the Incognito browsing (only Chrom'd pages) history will be shown. Even better: since SharedObjects are shared across browsers, fire up up IE or explore your way to Firefox and load the page.

Putting on my black hat, what could be done with this hole? Nothing that isn't already a problem on other browsers. One of the more clever applications would be to couple SharedObjects with cookies as a means of detecting whether a user is frequently browses a web page Incognito, then display security related ads to paranoid users.

Chrome might offer some security features, but history, cache, and cookies are only part of security. As plugins become required for the web experience, without plugin-aware security, Chrome will be one step behind web developers, and further behind black hats.

Now... Where did they hide the "disable flash" button?

No comments: