14 DAY TRIAL // Researchers warn that HTML5 support might pose serious security problems for websites by making code formerly thought secure, vulnerable. A critical and undetectable cross-site scripting hole on Facebook was used to demonstrate the concept.
“HTML 5 does not do much to solve browser security issues. In fact it actually broadens the scope of what can be exploited, and forces developers to fix code that was once thought safe,” a researcher named Matt Austin writes on his blog. “For example HTML5 introduces HTTP access control or Cross-Origin Resource Sharing. This allows the browser to make ajax requests cross domain. It introduces new headers so that a service can block remote sites from being able to run non authorized requests, but the client actually needs to add javascript to confirm the origin of the request,” he explains.
For demonstrative purposes Mr. Austin exploited this shortcoming on Facebook's popular Web interface for smartphones available at touch.facebook.com. This page loads content in a div via AJAX and doesn't employ frame busting protection.
Before HTML5 was implemented in browsers, loading content from an external local into this page would have been impossible due to the Same-Origin JavaScript policy. However, the new HTML5 features allowed attacker to force an AJAX request for http://touch.facebook.com/#http://example.com/xss.php.
There are several additional issues with such an attack. For one, the part after # in the URL is not captured in logs, so the webmasters can't see the unauthorized requests. Then, because everything happens on the client side, server-side parameter filtering (WAF) wouldn't help.
According to Mr. Austin an attacker could include an IFrame exploiting this issue into a rogue website and then trick users into visiting it. If a victim has an active Facebook session, the attacker gains complete control over touch.facebook.com and can view their name, email, phone, photos, read and send messages from their account, post comments and even add friends. With a bit more fiddling the attacker can also take control of a facebook app owned by the victim.
Facebook has addressed this security issue, but the social networking website is not alone in this mess. Many websites which rely on similar methods of serving content, including some jQuery libraries, are also affected. “Cross-Origin Resource Sharing is currently available in Firefox 3.5, Safari 4, and Google Chrome 2. IE8 supports CORS with the XDomainRequest function instead of the existing XMLHttpRequest,” Austin notes.
You can follow the editor on Twitter @lconstantin
