Casper on PaypalI would be very interested in learning some technical details of Manuel Caballero’s talk at BlueHat, titled A Resident in My Domain, but so far news are very scarce, fragmented and contradictory.

Its abstract is intriguing:

A Resident in My Domain

Do you believe in ghosts? Imagine an invisible script that silently follows you while you surf, even after changing the URL 1,000 times and you are feeling completely safe. Now imagine that the ghost is able to see everything you do, including what you are surfing and what you are typing (passwords included), and even guess your next move.

No downloading required, no user confirmation, no ActiveX. In other words: no strings attached. We will examine the power of a resident script and the power of a global cross-domain. Also, we will go through the steps of how to find cross-domains and resident scripts.

Then we’ve got two quite reticent posts by Nate McFeters, who was there but pretends he doesn’t remember well enough and/or he can’t disclose such an atomic bomb ;)

There’s some discussion at TSSCI, but it adds more questions than answers: the article devises similarities with two distinct old and fixed bugs, the nastier affecting IE and the other Firefox; some comments speculate about an IE7 only, possibly patched, vulnerability; but why so much secretiveness if it was already fixed?
Nate, on the other hand, wrote that this is “a horribly serious issue that affects all browsers and is currently not fixed on any of them”.

Direct inquiries in security circles I’m member of did not bring anything less ectoplasmic on the table.

Therefore, all the juice we’ve got so far is a couple of photos authorizing only the following statements:

  1. It is scary.
  2. It has something to do with JavaScript and IFrames.
  3. It definitely works in IE7.

If you can summon anything useful, you’re very welcome!

7 Responses to “Misterious Ghost Stories”

  1. #1 sirdarckcat says:

    Can I Haz Ghostz?
    http://sirdarckcat.blogspot.com/2008/05/browsers-ghost-busters.html

    (lol catz have ruined my life)

  2. #2 Giorgio says:

    @Sirdarckcat:
    I Ain’t ‘fraid of no catz :)
    10x!

  3. #3 hackademix.net » Who You Gonna Call? says:

    […] Misterious Ghost Stories 12 05 2008 […]

  4. #4 Nathan McFeters says:

    Yo Georgio!

    "Then we’ve got two quite reticent posts by Nate McFeters, who was there but pretends he doesn’t remember well enough and/or he can’t disclose such an atomic bomb."

    Why call me out like that?

    There is two points I can say,

    1.) I did see the talk and understand the attack, but I’m not certain I can accurately recount the entire attack vector, nor is it my place since it was someone else’s research (Manuel).
    2.) I discussed this at length with Microsoft and they asked me not to talk about it for now, as this may still be a useable attack vector on several browsers. Being that they invited me to a private conference for discussions about research I was working on, and NOT as a journalist, I respect their wishes. They gave me exclusive coverage of the event, which was very cool of them, and so respecting their wishes about this issue was a small thing to give up.

    I just had a look at sirdarkcat’s posting… I think it is very similar, but I don’t think it’s the exact same thing. Certainly he understands the concepts, but I’ll let Manuel or one of the other attendees confirm that. I wasn’t really taking notes on the whole ordeal, as I had some other work I was also doing at the time for my real job, so like I said, not 100% certain of how he did it, the general idea sounds very similar to what sirdarkcat has done, which is very serious in any case.

    -Nate

  5. #5 Giorgio says:

    @Nate:
    No need to explain why you can’t give away details, the comment of yours I linked to “pretends” was clear enough.
    I added a smile at the end of the statement you quoted: I was only trying to be ironic about the fact we’ve got an issue announced and looking like a doomsday device threatening “all browsers”, known to an audience of hackers security researchers who may or may not have good intentions, and no information to build a mitigation plan, other than throw-away browser sessions and our best friend.

    Cheers :)

  6. #6 James says:

    Probably not related, but http://www.thomasfrank.se/sessionvars.html is interesting.

  7. #7 Nathan McFeters says:

    Yeah, I would’ve loved to give you the details to get it fixed. Apparently the issue has been fixed in IE, so perhaps sirdarkcat’s is a new issue… or a new instance of the same attack.

    -Nate

Bad Behavior has blocked 2377 access attempts in the last 7 days.