I would be very interested in learning some technical details of Manuel Caballero’s talk at BlueHat, titled A Resident in My Domain, but so far news are very scarce, fragmented and contradictory.
Its abstract is intriguing:
A Resident in My Domain
Do you believe in ghosts? Imagine an invisible script that silently follows you while you surf, even after changing the URL 1,000 times and you are feeling completely safe. Now imagine that the ghost is able to see everything you do, including what you are surfing and what you are typing (passwords included), and even guess your next move.
No downloading required, no user confirmation, no ActiveX. In other words: no strings attached. We will examine the power of a resident script and the power of a global cross-domain. Also, we will go through the steps of how to find cross-domains and resident scripts.
There’s some discussion at TSSCI, but it adds more questions than answers: the article devises similarities with two distinct old and fixed bugs, the nastier affecting IE and the other Firefox; some comments speculate about an IE7 only, possibly patched, vulnerability; but why so much secretiveness if it was already fixed?
Nate, on the other hand, wrote that this is “a horribly serious issue that affects all browsers and is currently not fixed on any of them”.
Direct inquiries in security circles I’m member of did not bring anything less ectoplasmic on the table.
Therefore, all the juice we’ve got so far is a couple of photos authorizing only the following statements:
If you can summon anything useful, you’re very welcome!