A UI redress vulnerability in Google’s Chrome web browser offers a simple data extraction opportunity to a would-be hacker, according to researcher Luca De Fulgentis at Nibble Security, who said that attackers could simply trick users into publishing their private information.
“The Google Chrome web browser seems to have defeated any extraction methods, denying the use of the view-source handler and disallowing cross-origin drag & drop,” the researcher noted. “Despite these adverse conditions, I identified some attack scenarios where a UI redressing issue could be still performed in order to extract sensitive data.”
In some instances, users are fooled into using a two-step drag-and-drop method to publish data publicly. To wit: Instead of a cross-origin drag-and-drop, the victim is tricked to perform a same-origin action, where the dragged content belongs to a vulnerable web page of the targeted application “and the dropper is a form (text area, input text field, etc.) located on the same domain,” he added.
De Fulgentis said the attacker then exploits a subsequent clickjacking vulnerability on the same domain, which causes the publication of the personal information.
"I refer to this kind of attack chain as a bridge that allows the attacker to move sensitive data from being private to public, while remaining on the same domain," he said. "Then, the attacker can simply access the (now) public information to obtain the extracted data.”
De Fulgentis observed that the technique requires two vulnerabilities: the site's functionality must be able to be affected by clickjacking in the first place, but it also must have web resources that are not protected by X-Frame-Options (or are using a weak frame-busting code).
“An authenticated Google user can be attacked by abusing a UI redressing vulnerability related to the support.google.com domain," De Fulgentis said in his blog post. "No X-Frame-Options header is adopted, thus allowing the cross-domain extraction of personal data."
Similar vulnerabilities have been found on other popular web applications, including Microsoft and Yahoo! Profile pages, he added.
“I found that several world-renowned web applications lack protection of web resources from UI redressing attacks, thus revealing data that can be abused to disclose a user's identity,” said De Fulgentis. “An identification attack could be successfully performed by exploiting a UI redressing flaw affecting web resources that include, for example, the name or the e-mail address of the victim.”