Ever since stories of website hackers and sensitive information being leaked became a reality, ensuring the security of your website is not just important, it’s expected. While significant progress is being made all the time, major web security vulnerabilities are still being uncovered on the internet, as recently as this past year.
A user posted a bug on the Chrome bug tracker website on May 9, 2018 [Security: uXSS in Chrome on iOS]. Before I go into more detail about the bug, check out this video for a little more background about URLs and the role they play in securing your site—
Now, back to the uXSS bug that was discovered. In simpler terms: uXSS means universal cross site scripting. It means that one website can call scripts and access resources that it shouldn’t be able to from another website. In computer programming speak, a script is a program or sequence of instructions that is interpreted or carried out by another program rather than by the computer processor.
For example, if you access https://my-site.net and https://google.com in two browser tabs, my-site.net should NOT be able to simply ask Google for your Google account information. However, with this bug, it could. Even worse, imagine one of the sites was your bank, and it could perhaps call a function on the banking website to initiate a transfer.
So, thinking back to what we learned from the video—how did they do it? It turns out, you could confuse the part of iOS that figured out how to read the URL of the site you’re on. There is [supposed to be] built in protection that prevents these scripts from accessing anything but your own site. However, this user figured out how to trick the browser into thinking it was on another site, and it allowed the scripts to run. [The video above explains this pretty well if you need another rundown.]
If you ran a certain line of javascript code, then the browser essentially modifies the history state of the current website to the new URL. But the URL we’re using here is very odd—two dots, semicolon, @, then the URL you want to “attack”. The new URL would appear in the browser as, for instance, “https://web-safety.net/..;@www.google.com:%3443/”. Due to a bug in iOS, the browser now thinks that the website is really www.google.com and not web-safety.net.
While this was originally written up as a Chrome bug, it ended up not being Chrome’s fault at all. This is actually an underlying iOS issue because iOS forces all browsers to use their framework, and the framework is where the bug is at.
So what happened after this bug was uncovered? In the short term, Chrome “fixed” the bug by crashing the browser if it detected a funny URL in it like this. It couldn’t stop the attack any other way since it didn’t have control over the underlying iOS code.
And also interestingly enough, (Google) Chrome awarded the user who wrote up this bug a $7500 bounty for reporting it, even though it wasn’t a bug in Chrome! It was so critical of a bug it needed to get fixed and they appreciated it being reported instead of abused.
So, the moral of the story is this: all that cross-browser testing is worth it. Without it, you never know what vulnerabilities you could open yourself up to. Stay safe out there.