Security researcher Luca De Fulgentis has identified a number of user interface redressing (clickjacking) vulnerabilities in popular services that could be leveraged by cybercriminals to gather user information in what’s known as identification attacks. He has also identified a clickjacking flaw in Google Chrome.
The fact that many websites don’t use the X-Frame-Options header or other anti-clickjacking mechanisms allows an attacker to harvest all sorts of information if he can trick the victim into clicking on apparently innocent links or buttons.
The expert has demonstrated that such an issue in support.google.com can be used to extract a user’s email address, full name and profile picture URL. The names, email addresses and other details of Microsoft Live and Yahoo! users could also be easily obtained by leveraging clickjacking vulnerabilities.
However, the most interesting finding of De Fulgentis is a Chrome vulnerability that allows attackers to extract user information despite the many security mechanisms implemented by Google, such as denying the use of the view-source handler and disallowing cross-origin drag and drop.
“Instead of a cross-origin drag&drop, the victim is tricked to perform a same-origin action, where the dragged content belongs to a vulnerable web page of the targeted application and the ‘dropper’ is a form (text area, input text field, etc.) located on the same domain,” the researcher explained.
“Using a site's functionality that allows publishing externally-facing content, it is still possible to extract information. Under these circumstances, Chrome will not reasonably deny the same-origin drag&drop, thus inducing the victim to involuntary publish sensitive data.”
To demonstrate how such attacks work, the expert has published a couple of proof-of-concept videos showing how the vulnerability could be leveraged against Google and Amazon users.
Earlier in December, De Fulgentis published the details of a similar vulnerability that affected Firefox.
Update. Google representatives have reached out to us to clarify the fact that Chrome itself is not vulnerable. Instead the vulnerability exists in the websites.
Furthermore, they explain the fact that “Chrome's single-origin restriction on drag-and-drop is an intentional security measure. It's not perfect, but as evidenced here it mitigates the most common cases of this bug that are otherwise exploitable in other browsers.”
Here are the proof-of-concept videos published by the expert: