An apparent clickjacking, or UI redress vulnerability, in Google’s Chrome web browser could make it possible for attackers to glean users’ e-mail addresses, their first and last names and other information according to recent work done by an Italian researcher.
Luca De Fulgentis, who writes about security for Nibble Security’s blog, detailed the issue earlier this week, along with another separate data extraction method.
De Fulgentis shows how a user’s information can be extracted with the help of a malicious page using information on a page from Google’s support forums. If logged in, users’ e-mail addresses, names and profile picture URL can be extracted from the browser via support.google.com, while similar user information can be extracted from web resources belonging to Microsoft’s Live.com and Yahoo!’s Profiles pages.
De Fulgentis explains another data extraction technique: a two-step drag and drop method that relies on users being tricked into letting Chrome publish their data publicly.
“Instead of a cross-origin drag & drop, the victim is tricked to perform a same-origin action, where the dragged content belongs to a vulnerable web page of the targeted application and the “dropper” is a form (text area, input text field, etc.) located on the same domain,” De Fulgentis writes.
Essentially information that should be private is made public by two flaws: If the user is on a website that doesn’t protect information by X-Frame-Options – the response header that ensures information isn’t embedded into other sites – and if that site is affected by clickjacking.
De Fulgentis goes on to explain how this technique can be executed in Chrome on Amazon.com. Using the aforementioned method, an attacker could publish the user’s information as a comment for an Amazon item, as demonstrated by the following video:
Since Amazon’s site doesn’t protect user’s information with an X-Frame-Options header, information like user’s e-mail address and mobile number could be exposed under the right conditions.
This vulnerability is the latest of a series of UI redressing vulnerability reports done by De Fulgentis. Late last year he described a problem with Mozilla’s Firefox that compromised user information on LinkedIn.com.