'Rosetta Flash' Attack Leverages JSONP Callbacks To Steal Credentials

New submitter newfurniturey writes: A new Flash and JSONP attack combination has been revealed to the public today. It has been dubbed the "Rosetta Flash" attack. JSONP callback functions normally return a JSON blob wrapped in a user-specified callback function, which the browser will then execute as JavaScript. Nothing out of the ordinary here. However, the new attack has leveraged a method of crafting a Flash file to contain a restricted character set that's usable within JSONP callbacks (i.e. in a URL). By combining the two, the attack demonstrates it's possible to use a JSONP URL with the contents of the crafted Flash file as the callback function. When set as the data of a standard HTML object tag, the SWF file executes on the targeted site, bypassing all Same-Origin policies in place. Services such as Google, YouTube, Twitter, Tumblr and eBay were found vulnerable to this attack. Several of these services fixed the vulnerability with a patch prior to the public release, and Tumblr patched within hours of the release.

haven't we learned from the last 25 exploits?

[Anonymous Coward]

Keep javascript and flash disabled.

That is all. Letting random web sites run scripts on your computer has never been a good idea.

Enable it for your bank if you want. Otherwise, keep it disabled, and you'll be a lot happier (it keeps crapsites from foisting their crap on you), more secure from various exploits, and will maintain more of your privacy from all the data harvesters that depend on javascript.

Re:

[Anonymous Coward]

Some of us would like the internet to be ... well ... useful.

It was plenty useful before Javascript was even invented. With a few rare exceptions, Javascript has not improved the web. It's made back buttons break, foisted 275 KB pages to do what 4K of HTML would do just fine, made videos break where a direct link would work, given us flashing crap, shit popping up, security vulnerabilities, disabled cut and paste which works again as soon as you disable javascript, and so forth and so on.

If you want the web to be useful, you should be pushing for only the most minim

Re: haven't we learned from the last 25 exploits?

[Type44Q]

I'm going to go out on a limb here and guess that you're one of the aforementioned douchebag marketing types (paraphrasing mine)...

Re:

[0123456]

Someone doesn't know shit about the web here...

The introduction of Javascript was when the Internet began to turn to crap. Many of us pointed out at the time just what a security nightmare it would be.

Re:

[marcello_dl]

This. Badly used Javascript, like html frame elements, also break the stateful nature of webpages, and this means breaking the concept of hypertext itself.
If sites were designed with optional javascript and ajax, they would work as well and referring to web content would be much easier. The semantic web was already there.

Of course big sites don't offer you the content as easily. Get logged in, get profiled, don't get out.

Re:

[Arker]

"If you want the web to be useful, you should be pushing for only the most minimal use of Javascript."

When this crap first started getting pushed, a lot of us saw the potential problems coming and objected. We were assured it was only to be used to 'spice up' webpages, not to replace them.

Such assurances are obviously shit. If it's allowed to use it, then the lowest common denominator of self-proclaimed 'designers' can, will, and must overuse it. This overuse expands steadily and predictably until and unles

Re:

[tlhIngan]

You know, there used to be a time where there were excellent webmasters that could do both HTML and Javascript great. Where you went to a website and without JS, it degraded gracefully.

Apple's website was like that, maybe about 8 years ago or so. Other than being a bit ugly in parts, it worked extremely well without JavaScript. (turning it on made it prettier and things worked a lot better, though). In fact, I only noticed it when I noticed it rendered differently on two different Firefoxes - on one, I had

Re:haven't we learned from the last 25 exploits?

[Arker]

Excellent advice.

Expect to be flamed into oblivion by all the 'web devs' that cant be bothered to learn how HTML works and rely on this crap instead, though.

The web - the real web, the HTML web, appears to be shrinking at the moment. New content is often hidden behind some kind of opaque app crap for no apparent reason and with no actual webpage for fallback (thanks google!) and old content occasionally gets removed as well. Each time this happens, it makes it even harder and less likely to revive the healthy web we once built with such love and care.

And naturally the people that are making a profit on this crap will just keep right on cranking it out as long as that is true.

The real victims here are future generations, who should inherit that world-wide web, but are set to inherit something entirely different - and inferior in every way (when judged from the users perspective - from the perspective of big Advertising of course the story will be different, but we built this web for humans, not for marketing.)

Re:

[dgatwood]

Amirite... a bluish purple crystal that turns pink in the presence of sarcasm. First described in a Kenny Loggins song:

Amirite. Donut buddy worry 'bout me.

Re:

[dgatwood]

Nobody minds CSS much, so long as you don't allow embedding JavaScript URLs in it (which, unfortunately, browsers do).

The problem is not JavaScript, per se, so much as the fact that it is massively overused, breaking links, breaking back buttons, etc. Your documentation viewing experience does not demand a web app. It might benefit from some intelligent links that do special stuff if JS is enabled, but if you cannot make your site work with JS disabled, you're abusing JavaScript.

There are exceptions, min

Re:

[holostarr]

How does one embed "JavaScript URLs" in CSS? Also you seem to have no idea about where the web is headed or have heard about responsive design and SPA. Long gone are the days where JavaScript is a small piece of a site's functionality, we are now moving towards a more dynamic and responsive web where you don't have fetch the entire contents of a page just so you can see which of your form inputs the server rejected.

Re:

[dgatwood]

How does one embed "JavaScript URLs" in CSS?

Very easily [stackoverflow.com], and because so few people know it is possible, it's a rather nasty vector for cross-site scripting attacks.

Also you seem to have no idea about where the web is headed or have heard about responsive design and SPA.

I'm well aware of responsive design. I think it's an abomination, because all it does is make it take two page loads to view your site instead of one, by ensuring that I have to first load your broken mobile site, then click the "full versi

Re:

[dveditz]

No modern browser allows javascript URLs in CSS. None. Completely non-standard and dangerous. Old IE and Netscape? Yeah, they were dumb back then, but that was over a decade ago.

Re:

[f00zy]

While I understand some the sentiment expressed here, a lot of this nonsense. An HTML-only web is great for relatively static content, but not so great for anything much beyond that. Is it so difficult to grok why you might want content to change on the client? I don't think so. Is JavaScript used for nefarious purposes? Yes, all the time. Is there bad UX because of JavaScript? No doubt. It is, however, a useful tool in the hands of skilled designers and developers. I'm usually the one telling peop

Re: haven't we learned from the last 25 exploits?

[f00zy]

"I have yet to be cited a single good example here - very often what is being done would work just fine in HTML, with less overhead, but the 'designers' just do not understand HTML, or have any desire to learn it, so they do things this way instead." Over the years, I've done a lot of work with games and simulations for training. Often times, these training simulations must coexist with existing talent management infrastructure. This means a JavaScript API for communicating performance data to the host p

Re:

[Arker]

"Over the years, I've done a lot of work with games and simulations for training."

OK. That really doesnt have anything to do with the web, however. Sure, the web can be used to deliver the project - that doesnt mean it has to actually run inside the browser. There is a HUGE difference.

"We could not have produced this educational game with just HTML."

I get where you are coming from but I still think it's far off the mark. The web is not a game platform, that is not it's purpose, so 'we could not do games thi

Re:

[mfh]

Hear, here!

say wha?

[Noah Haders]

JSONP callback functions normally return a JSON blob wrapped in a user-specified callback function, which the browser will then execute as JavaScript. Nothing out of the ordinary here. However, the new attack has leveraged a method of crafting a Flash file to contain a restricted character set that's usable within JSONP callbacks (i.e. in a URL). By combining the two, the attack demonstrates it's possible to use a JSONP URL with the contents of the crafted Flash file as the callback function. When set as the data of a standard HTML object tag, the SWF file executes on the targeted site, bypassing all Same-Origin policies in place.

ummmm what? english please!

Re:

[Anonymous Coward]

English translation: as usual, Flash is useless except as a vector for malware, viruses, trojans and keyloggers. Remove Flash from your system.

Re:say wha?

[Arker]

"English translation: as usual, Flash is useless except as a vector for malware, viruses, trojans and keyloggers. Remove Flash from your system."

That's actually not quite true. Flash is a great way to develop simple games quickly and cheaply.

The problem isnt Flash itself (which is on the whole a fine product, used correctly) but the idea of using Flash as a substitute for a webpage, the installation of it as a browser plugin, and the auto-execution of it by the browser. None of that should be tolerated.

It's still possible to get a standalone flash interpreter and only feed it local, vetted files, which is really fine (or as close to fine as lots of other things you do every day, at least.)  But Adobe seems to be trying their best to discourage that and force everyone to use it as an auto-enabled browser component instead. The one way to use the program that causes major problems is also the one way they want you to use it.

Everyone who has been infected as a result of this should really get together and sue these arseholes, because money is the only language they understand.

Re:

[Mashiki]

As a point, WebM can't replace it fast enough.

A harmful chaining of shitty browser hacks.

[Anonymous Coward]

It's basically a case of one shitty, half-assed browser hack (JSONP) being used in a way that allows another shitty, half-assed browser hack (JavaScript) to abuse yet another shitty, half-assed browser hack (Flash) to violate a shitty, half-assed "security" feature (same-origin policies).

The browser is truly the shittiest platform we've ever had. It may be widespread, but good god, is it ever shitty in so many inherent ways. It's just one smear of shit layered upon another. It really is broken all the way down.

Re:

[holostarr]

Either come up with something better or shut up. The browser is far from perfect, but its continuously evolving and is the best platform currently in existence because of its widespread adoption, standards and ease of development compared to all other platforms. Even many desktop and mobile apps these days are wrapping the browser (or built on top of it) in one way or another (for example PhoneGap and nodejs) and use responsive design to assist with the development. Outside of few specialized areas where na

Re:

[holostarr]

Who are "we"? If people like you represented majority, companies like Google would have already been out of business. In the real world, however, developers pick the right tool for the right job and browser technologies have their place. So go ahead and continue with your deluded reality and ignore the web, you will not be missed.

Re:say wha?

[grcumb]

JSONP callback functions normally return a JSON blob wrapped in a user-specified callback function, which the browser will then execute as JavaScript. Nothing out of the ordinary here. However, the new attack has leveraged a method of crafting a Flash file to contain a restricted character set that's usable within JSONP callbacks (i.e. in a URL). By combining the two, the attack demonstrates it's possible to use a JSONP URL with the contents of the crafted Flash file as the callback function. When set as the data of a standard HTML object tag, the SWF file executes on the targeted site, bypassing all Same-Origin policies in place.

ummmm what? english please!

The code sneaks a Flash file disguised as a URL into some JSON data and cons the browser into treating it as JavaScript, but on the local machine it acts like an HTML <OBJECT>, and because the browser is executing the Flash code locally now (due to the masquerade), it can run with greater privileges than if it were from a remote site.

Or in layman's terms: Flash totally sucks the suckage, dude. Always did. Still does.

Re:

[NemoinSpace]

He said, don't bring your laptop to hacker shows in Malaysia. But if you *do* manage to get it through airport securitI, and not have it stolen by baggage handlers *don't* click on flash. Because downloading pr0n in Malaysia is illegal. Just stay home and use NSA approved safe methods of browsing. Oh, and if your the type that carries sensitive information on your cell phone, well, die then.

I'll take a shot at it.

[cbhacking]

I don't know about English, but I can produce an explanation that is understandable by most people with at least some knowledge of how the web works, hopefully... It's not going to be short or simple, but I'll at least try for clear.

JSONP is a web service communication method. The idea is that a client (a web browser) sends a request to a given URL, and in that URL they include a "callback" parameter. The response from the server is a blob of JavaScript starting with the callback parameter (as a function name), and then containing additional data (as a JSON-defined object, usually). Examples:
A target URL that looks like this:
https://vulnerablesite.com/jsonp_service/some_endpoint?callback=jsonp.handle_some_endpoint
Produces a request like this (no body, and some headers omitted for brevity):
GET /jsonp_service/some_endpoint?callback=jsonp.handle_some_endpoint HTTP/1.1
Host: vulnerablesite.com
Cookie: VulnerableSiteSessionCookie=JoeBlowIdentificationValue ...
That produces a response like this (again, header details omitted):
HTTP/1.1 200 OK
Content-Type: application/javascript
Content-Length: 41
...

jsonp.handle_some_endpoint({"foo":"bar"})
The browser would then interpret that response as JavaScript, calling the named function.

Now, this looks risky but normally it's safe enough, because while an attacker could embed a <script src="https://vulnerablesite.com/jsonp_service/some_endpoint?callback=jsonp.handle_some_endpoint" /> script source tag that specifies an arbitrary callback name (which then gets executed as JS), there's nothing really dangerous they can do with that because the server will disallow most sensitive characters in JS (things like ( ) = ' " < >) from the callback name, so you can't actually embed arbitrary javascript in the response. Usually the attacker doesn't control the content of the parameter (the JSON blob) either, or at least can't make it be anything except JSON (which is normally pretty harmless). For example, the attacker could pass "alert" as the callback, in which case the victim gets a message box saying "[object Object]" or similar. Whoop-de-do.

OK, so the attacker can't do much just by invoking a script with an arbitrary callback name. However, Flashplayer can execute applets in a number of formats, including formats that are theoretically compressed. I say "theoretically" because there's actually nothing requiring the data to be "compressed" in any even vaguely efficient manner (which tends to produce dense blobs of seemingly-random binary values). Instead, it's possible to create a "compressed" file that only contains alphanumeric characters (and is therefore valid as a callback name), but when it is "expanded" it produces an arbitrary binary blob (such as a compiled Flash applet).

So, here's what the attacker does. They create a malicious Flash applet. They run it through the special compiler this guy came up with, which converts it into a "compressed" applet format containing only characters that are valid for a callback name. They place an HTML object tag on their own, attacker-controlled website. The object specifies the jsonp service on the vulnerable site as its data source (the way one might specify youtube's flash applet as a data source), and specifies the callback name to be the alphanumeric-format applet. The attacker also specifies that the type of the data is application/x-shockwave-flash.

When a user visits the attacker's site, their browser sees the object tag and tries to retrieve the specified data. The response they get back is *actually* a JSONP script, but the first part of it - the callback function name - is *also* a valid Flash applet. Because the object tag specifies that the data type is Flash, the browser obligingly loads Flashplayer and runs the malicious applet (it ignores the ({"foo":"bar"}) blob at the end).

Now, here's the really mean pa

Mitigations

[cbhacking]

Sorry to self-reply, but I figured I should add some mitigations (for those who don't RTFA...)

First of all, as a user, one can of course disallow Flash by default (or remove it entirely). Mechanisms for doing this vary by browser, but all major browsers have at least one.
You can also update Flash. The latest version, released today (Tuesday the 8th), tightens up the validation of "compressed" applets in such a way that it should catch the output of this "Rosetta Flash" program.

For sitemasters / developers, there are a few options.

• You can host your JSONP service on a different (sub)domain from your sensitive data. This is most effective if the JSONP responses are either static or if there's a CSRF token for accessing the user data.
• You can add the string /**/ to the beginning of the JSONP response body, right before the callback identifier (this is what Google and GitHub are doing, for example). This will be ignored by the browser when it's treating JSONP as JavaScript (a 0-character comment) but will break the reflected-Flash-applet attack because the start of the response body no longer contains the magic number for any kind of Flash applet.
• You can add a HTTP response header like Content-Disposition: attachment; filename=f.txt to the JSONP responses, which will prevent all reasonably recent versions of Flashplayer from executing it the applet.
• You can add the HTTP response header X-Content-Type-Options: nosniff to all vulnerable responses (or just all of them), and then make sure that you specify the correct Content-Type header (it should be Content-Type: application/javascript although application/json, while technically incorrect, will probably work too). This header forces most browsers to pay attention to the server-provided content type, rather than letting the web page specify or guessing from the content itself.

Hope that helps!

Very clever

[mc6809e]

Reminds me a little of some work done by Terje Mathisen, an expert assembly language programmer. Not exactly that same as the exploit, but probably interesting to a few slashdotters. I'll let him describe it:

"The most complicated code I have ever written is/was a piece of executable text, in order to be able to send binary data over very early text-only email systems:

"Minimum possible amount of self-modification (a single two-byte backwards branch), a first-level bootstrap that fits in two 64-byte lines including a Copyright notice and which survives the most common forms of reformatting, including replacing the CRLF line terminator by any zero, one or two byte sequence. This piece of code picks up the next few lines, combining pairs of characters into arbitrary byte values before flushing the prefetch cache by branching into the newly decoded second-level bootstrap. (Everything uses only the ~70 different ascii codes which are blessed by the MIME standard as never requiring encoding or escape sequences.)

"This second level consists of a _very_ compact BASE64 decode which takes the remainder of the input and re-generates the original binary which it can either execute in place or write to disk.

JS

[mfh]

This doesn't surprise me. Few developers truly understand how many vectors JS opens up. Just KISS and let's move forward.

JS fanboys are ruining everything.

Re:

[Elminster Aumar]

I'm just happy we have patriots like you to help maintain the wonderful geek culture we never get subjected to through biased perspectives and impulsive assumptions.

Re:

[mfh]

JS is totally impulsive for a site designer. They just decide to add so many different bells and whistles that they don't have enough time to do penetration tests on any of it. They grab source code from ANYWHERE and tack it on their site. Nobody checks that stuff.

Run NoScript and there are tons of sites calling 10+ different JS blocks.

Moral hazard.

Re: JS

[corychristison]

I agree with you to an extent. The problem lies mostly in that users (developers) don't know what they are actually doing. They are typically young and have no real world experience. As you say, they 'tact peices of code together'.

The other

Re: JS

[corychristison]

(Bah. Touchscreens will be thr death of me)

The other issue is Javascript can do too much. I really only use a small subset of it in my own projects. Basically just simple DOM manipulation, and the odd calculation.

Re:

[holostarr]

You are telling me when you build a client side native applications (lets say in c or c++) you look through every line of source code for each library you use? And not all of us web developers just "grab source code from ANYWHERE and tack it on", that is what sets apart good web developers from the bad ones; good developers do research on the libraries and frameworks they use and pick ones that are trusted, well maintained, and are industry standards. Furthermore, there really is not much of a difference b

Re:

[dveditz]

That misses the point of this vuln entirely which requires NO JavaScript whatsoever on the user's part. The site is written to use JavaScript and set up a JSONP service. This trick fools the JSONP service into returning a "callback name" that just so happens to be valid .swf data. The attacker then uses the URL that triggers that response in a context that expects flash (e.g. an or tag). As far as Flash is concerned the .swf came from that site so it's allowed to make any further requests to that site it

Not vulnerable

[viperidaenz]

I don't have flash installed.
Threat mitigated.