HTTP status code Psiphon use check vulnerability
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
psiphon |
New
|
Undecided
|
Unassigned |
Bug Description
Read:
"Abusing HTTP Status Codes to Expose Private Information"
https:/
Quote:
"When you visit my website, I can automatically and silently determine if you're logged into Facebook, Twitter, GMail and Digg. There are almost certainly thousands of other sites with this issue too, but I picked a few vulnerable well known ones to get your attention. You may not care that I can tell you're logged into GMail, but would you care if I could tell you're logged into one or more porn or warez sites? Perhaps http://
(You can skip to "BADDER STUFF STARTS HERE" section below.)
It seems to me that:
- We're safe from the attack if JavaScript is disabled.
If JS is enabled and links rewritten:
- If the attack site isn't loaded through Psiphon (but Facebook, etc., are), then the attack won't work.
- Unless the attacker knows the Psiphon proxy that the user is browsing through (and so can construct links that use it).
- If the attack site is loaded through Psiphon (along with Facebook, etc.), then the attack *will* work ... but in that case they already know the user is using Psiphon, so the extra info about Facebook, etc. doesn't seem like such a big deal (maybe).
BADDER STUFF STARTS HERE
I've thought of a variation on this attack that allows attackers to passively discover Psiphon users (maybe this isn't new, but...):
- Start with popular attacker-controlled or -influenced site. Say Baidu.
- Every time attack learns of a proxy, before they block it, they put a hidden image on the Baidu main page that looks like this:
<img style="
onload=
onerror=
src="https:/
If the browsing user is logged into the Psiphon proxy, Baidu -- and so the attacker -- will find out. The attacker could put a chunk of code like that for every proxy that they know about (and haven't yet blocked).
An obvious -- but not enforceable by us -- defense is for the user to disable Javascript or use private browsing mode.
From our end, possibly checking the referrer (as suggested in the article) would would. (Maybe we're already doing this? Anyone?)
[In response to that, Eugene says: "I believe that one can fake the Referer header in XHR. The code will have to be a little more complicated though."]
visibility: | private → public |
There's an extension of this attack that will allow the attacker to determine what kind of user type/group a particular user is. If the XHR or iframe src is to www.psiproxy. com/users. php and the response is successful, then the attack knows the user is an admin.
(This would also work for Propagators, but maybe not for Power Users, since they don't have any distinct pages.)