( Register Here | Lost Password ) Search Today's Posts FAQ
Click to Login
Page 1 of 5 12345 LastLast
Results 1 to 10 of 46
  1. #1

    Talking Possible trivial Phorm opt-in "Exploit" discovered

    I was doing a tiny bit of research on Phorm last night and it occurred to me that as the Opt-out is cookie based, it should be possible to opt-in an unwilling Phorm ISP customer using cross site request forgery (csrf).

    All that's required is an image link which could be hidden on a webpage or in a forum post or blog etc.

    Don't worry, no opt-in images here, but you can download my test page from rapidshare.

    Download-Link #1: http://rapidshare.com/files/10001349...n_exploit.html

    You can check your webwise opt-in/opt-out status here http://webwise.bt.com/webwise/
    Last edited by Mel; 16-03-2008 at 04:55 PM. Reason: Updated download link in original post

  2. #2

    Default

    I've added the webwise status link to the test page.

    http://rapidshare.com/files/10001349...n_exploit.html

    Oh and if anyone wants to host my page on their website, they are welcome to do so, and to amend it as they see fit.
    However I would expect this oversight to be closed fairly quickly.
    Last edited by Mel; 16-03-2008 at 04:55 PM.

  3. #3

    Default

    My webwise CSRF page has been temporarily made available at the following url

    PHP Code:

    http
    ://www.toobadcs.co.uk/phorm/Phorm_opt-in_exploit.htm 
    I haven't made the link clickable so you'll have to copy the exploit URL to your address bar.

    Warning by visiting this page Webwise will be enabled on your browser.

    Don't forget to opt-out afterwards, or delete the a.webwise.net cookie.

    If your ISP plans implementing Phorm/Webwise, then I think it might be wise to block the webwise.net domain.

    On second thoughts, it might be wiser to choose a better ISP.
    Last edited by Mel; 16-03-2008 at 08:09 PM.

  4. #4
    Join Date
    Jun 2001
    Location
    North-west London
    Posts
    1,350
    PM
    Send Message

    Default

    it might be wise to block the webwise.net domain
    And, of course, if you're a bit forgetful (who, me? ) and have overlooked the fact that you blocked the darned thing about a fortnight ago when the Phorm story surfaced, you will have to temporarily allow it to get Mel's exploit to work in the first place.

    Having done that, yes, it did the job - but just as a minor point, Mel, there's an image top left that isn't showing up, and I don't *think* that's because of anything I've done.
    I could be wrong, of course - I usually am.
    Gordon
    -----------
    This message comes to you by permission of GCHQ.
    Lost an e-mail or need copies of someone else's e-mails?
    Please contact our Sales Department at Cheltenham.

  5. #5

    Default

    Quote Originally Posted by sentup.custard View Post
    And, of course, if you're a bit forgetful (who, me? ) and have overlooked the fact that you blocked the darned thing about a fortnight ago when the Phorm story surfaced, you will have to temporarily allow it to get Mel's exploit to work in the first place.

    Having done that, yes, it did the job - but just as a minor point, Mel, there's an image top left that isn't showing up, and I don't *think* that's because of anything I've done.
    I could be wrong, of course - I usually am.
    That's the exploit, I said it was really trivial to do.

    I could make sure the image wasn't visible, but as it is only a demo I couldn't be bothered.

    This flaw took me about two minutes to spot, makes me wonder how thorough the security audit was...

  6. #6
    Join Date
    Jun 2001
    Location
    North-west London
    Posts
    1,350
    PM
    Send Message

    Default

    Ah, right - I get it now, I hadn't twigged that it was a "non-image" rather than a "fake image", if you see what I mean, still expected to see something there.
    This flaw took me about two minutes to spot
    Mmm... doesn't exactly say a lot for the brains behind their system, does it?
    Gordon
    -----------
    This message comes to you by permission of GCHQ.
    Lost an e-mail or need copies of someone else's e-mails?
    Please contact our Sales Department at Cheltenham.

  7. #7

    Default

    Yep, your browser send an http request to the "image" url to fetch the image so it can display it, but as it is not actually an image doesn't render it.

    As the "image" url is in fact for the Webwise opt-in, the webwise server replies with an opt-in cookie, and hey presto you've been press-ganged into Webwise.

    There are more sophisticated ways to achieve a CSRF, I've even read it is possible to forge "referer" , but given that some popular applications strip "referer" from http requests, checking the referrer would not a particularly good approach to prevent csrf.
    Last edited by Mel; 17-03-2008 at 01:52 AM.

  8. #8
    Join Date
    May 2004
    Posts
    2,776
    PM
    Send Message

    Default

    Quote Originally Posted by Mel View Post
    I was doing a tiny bit of research on Phorm last night...
    Just a tiny bit eh Mel?

  9. #9

    Default

    Quote Originally Posted by Old dude View Post
    Just a tiny bit eh Mel?
    I just wanted to see what the opt-out cookie was like and makes sure my firewall rules blocked the site and I happened to look at a javascript.

    As webwise is claimed to protect users against phishing, I suppose I should have made my demo "exploit" turn it off, although given browsers come with effective anti-phishing protection built in, I can't see the point

  10. #10
    Join Date
    Feb 2001
    Location
    real world
    Posts
    10,832
    PM
    Send Message

    Default

    Mel is very good on finding the loop holes for this it is just annoying that everytime I visit the webpage on the clan hosting I have to delete webwise cookie just using it to get me into a routine to check daily for a webwise cookie before I start to visit websites.

    It is soo nice to do the search and find none
    Kits
    My present ISP Aquiss.

Page 1 of 5 12345 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules