dimva 2019 on the perils of leaking referrers in online
play

DIMVA 2019 On the Perils of Leaking Referrers in Online - PowerPoint PPT Presentation

Jan 01, 2023 •175 likes •636 views

DIMVA 2019 On the Perils of Leaking Referrers in Online Collaboration Services Authors: Beliz Kaleli Manuel Egele Gianluca Stringhini bkaleli@bu.edu megele@bu.edu gian@bu.edu Online Collaboration Services (OCSs)

  1. DIMVA 2019 On the Perils of Leaking Referrers in Online Collaboration Services Authors: Beliz Kaleli Manuel Egele Gianluca Stringhini bkaleli@bu.edu megele@bu.edu gian@bu.edu

  2. Online Collaboration Services (OCSs) File operations; ▪ Upload/Create ▪ View/Edit online Online ▪ Share Collaboration Services Beliz Kaleli 2

  3. Sharing a File on an OCS Upload secret location: or Create Share https://www.ocs-name.com/ < UniqueIdentifier > } OCS Ideally unguessable Beliz Kaleli 3

  4. This year McAfee reported that; “8% of shared files contain sensitive data” [1] ▪ OCS Files, used by individuals and companies, can contain sensitive information . [1] Where cloud files are shared. [1] https://www.skyhighnetworks.com/cloud-computing-trends-2019/ Beliz Kaleli 4

  5. Introduction We show that: The secret location of OCS files can be leaked by the improper handling of links embedded in these files. ▪ 21 OCS are analyzed on 6 different web browsers Beliz Kaleli 5

  6. Background - HTTP Referer ▪ HTTP Request Header that identifies the URI from which the request originated. Request Headers Value http://ocs.com/file1 HTTP Accept text/html, application/xhtml+xml Request Accept-Encoding gzip, deflate Accept-Language en-US, en; q=0.5 -------------- Connection keep-alive -------------- -------------- DNT 1 -------------- Host ocs.com Referer http://ocs.com/file1 User-Agent Mozilla/5.0 (X11; Linux x86_64) Beliz Kaleli 6

  7. Background - HTTP Referer Purpose: ▪ Personalize the website: provide specific help, suggest relevant pages to targeted users ▪ Generate special offers ▪ Webpage analytics (e.g., analyzing where most of the traffic is coming from) ▪ Block visitors from specific domains The HTTP Referer field is configurable with the Referrer Policy [1] [1] W3C Candidate Recommendation referrer policy. https://www.w3.org/TR/referrer-policy/. Beliz Kaleli 7

  8. Background - Existing Mitigations ● "no-referrer" ● "no-referrer-when-downgrade" ● "same-origin" ▪ Referrer Policy ● "origin" ● "strict-origin" ● "origin-when-cross-origin" ▪ HTML Link Type ● "strict-origin-when-cross-origin" (i.e. rel=”noreferrer”) ● "unsafe-url" HTTP Referer Referrer Structure No Referrer - ASCII Serialized http(s)://www.service-name.com/ Full Referrer http(s)://www.service-name.com/<UniqueIdentifier> Beliz Kaleli 8

  9. Attack Model maggi.cc Eve Beliz Kaleli 9

  10. Attack Model secret maggi.cc URL Eve Beliz Kaleli 10

  11. Attack Model secret URL secret maggi.cc URL Eve Beliz Kaleli 11

  12. Attack Model secret URL secret maggi.cc Referrer: secret URL URL Eve Beliz Kaleli 12

  13. Attack Model secret URL secret maggi.cc Referrer: secret URL URL maggi.cc Eve Beliz Kaleli 13

  14. Alice: Upload/Create file Beliz Kaleli 14

  15. Alice: Share file https://docs.google.com/document/d /17AA7PNbyu94pHe8QxKHKq8SsK PuLZV-9-ZrWvV-k45o/edit?usp=sha ring Beliz Kaleli 15

  16. Bob: Visit link Beliz Kaleli 16

  17. Implementation - Methodology To test our attack model on real-world OCSs: 1. Identifying relevant services 2. Creating files 3. Sharing files 4. Examining the referrer Beliz Kaleli 17

  18. Implementation - Identifying Relevant Services ▪ We obtained the most popular services by Google queries and crawling Alexa lists ▪ Top/Computers/Internet/File_Sharing ▪ Top/Computers/Internet/On_the_Web/Web_Applications/Storage ▪ Test manually: --------------------- -------------------o ▪ Setup an account ur-server.com ▪ Upload/Create file with link to our server ------------------- --------------------- ▪ Check if clickable ------------------- ▪ Check if shareable via a URL Uploaded file Beliz Kaleli 18

  19. Implementation - Creating Files ▪ Created different types of files: “.doc”, “.docx”, “.pdf”, “.xls”, “.xlsx”, “.ppt”, “.pptx”, “.note”, etc. Embedded Our web HTTP headers are logged URL server Beliz Kaleli 19

  20. Implementation - Sharing Files Relevant OCSs = File Hosting Services + Instant Messaging Services For file hosting services and instant messaging services; ▪ Shared through links which are editable or view-only For some instant messaging services; (e.g., Flock) ▪ File sent directly to chat between two accounts Beliz Kaleli 20

  21. Implementation - Examining Referrers Alice OCS --------------------- -------------------o ur-server.com Share Upload ------------------- secret URL --------------------- ------------------- Beliz Kaleli 21

  22. Implementation - Examining Referrers Alice OCS --------------------- -------------------o ur-server.com Share Upload ------------------- secret URL --------------------- ------------------- Beliz Kaleli 22

  23. Implementation - Examining Referrers Bob our-server Click on --------------------- embedded Collect Referrer -------------------o link Visit link URL from output ur-server.com secret URL of script ------------------- --------------------- ------------------- Beliz Kaleli 23

  24. Implementation - Examining Referrers Bob our-server Click on --------------------- embedded Collect Referrer -------------------o link Visit link URL from output ur-server.com secret URL of script ------------------- --------------------- ------------------- Beliz Kaleli 24

  25. Implementation - Examining Referrers Bob our-server Click on --------------------- embedded Collect Referrer -------------------o link Visit link URL from output ur-server.com secret URL of script ------------------- --------------------- ------------------- Beliz Kaleli 25

  26. Implementation - Examining Referrers Visit recorded Referrer URL Beliz Kaleli 26

  27. Implementation - Examining Referrers Visit recorded Referrer URL File is NOT accessed Beliz Kaleli 27

  28. Implementation - Examining Referrers Visit recorded Referrer URL File is NOT accessed Secret URL is NOT leaked Beliz Kaleli 28

  29. Implementation - Examining Referrers Visit recorded Referrer URL File is NOT File is accessed accessed Secret URL is NOT leaked Beliz Kaleli 29

  30. Implementation - Examining Referrers Visit recorded Referrer URL File is NOT File is accessed accessed Secret URL Secret URL is NOT leaked is leaked Beliz Kaleli 30

  31. Referrer Policy First Public Draft (2014): Working Draft (2016): ▪ "none" ▪ "no-referrer" ▪ "none-when-downgrade" ▪ "no-referrer-when-downgrade" ▪ "origin-only" ▪ "same-origin" ▪ "origin-when-cross-origin" ▪ "origin" ▪ "unsafe-url" ▪ "origin-when-cross-origin" ▪ "unsafe-url" Beliz Kaleli 31

  32. Referrer Policy First Public Draft (2014): Working Draft (2016): ▪ "none" ▪ "no-referrer" ▪ "none-when-downgrade" ▪ "no-referrer-when-downgrade" ▪ "origin-only" ▪ "same-origin" ▪ "origin-when-cross-origin" ▪ "origin" ▪ "unsafe-url" ▪ "strict-origin" ▪ "origin-when-cross-origin" ▪ "strict-origin-when-cross-origin" ▪ "unsafe-url" Currently a Candidate Recommendation Beliz Kaleli 32

  33. Evaluation - Common Insights Reasons behind vulnerabilities; ▪ Referrer Policy is not set by the OCS ▪ Referrer Policy option is not Services secure enough ▪ Different behavior on mobile and desktop browsers ▪ Edge and iOS Safari support Browsers older draft of Referrer Policy Beliz Kaleli 33

  34. Evaluation 7/21 Vulnerable : Vulnerable : Not vulnerable : N/A Beliz Kaleli 34

  35. Evaluation ▪ Edge and iOS Safari supports older draft of Referrer Policy e.g., Overleaf ▪ "origin-when-cross-origin" → Overleaf changed to "no-referrer" and added "rel=noreferrer" → No longer vulnerable Beliz Kaleli 35

  36. Evaluation ▪ Different behaviors on desktop and mobile browsers ▪ PDF.js removes referrers, built-in mechanisms may not e.g., Box ▪ Desktop browsers - PDF.js (removes referrers in requests) ▪ Mobile browsers - native PDF viewer (no referrer removal) ▪ "no-referrer-when-downgrade" Vulnerable: HTTPS → HTTPS ▪ Beliz Kaleli 36

  37. Evaluation ▪ Referrer Policy is not set by the OCS e.g., Onehub, Linkedin Slideshare, Evernote Fallback to "no-referrer-when-downgrade" ▪ Vulnerable: HTTPS → HTTPS ▪ Beliz Kaleli 37

  38. Adoption of Referrer Policy ▪ First 100K of lists : less safe option Beliz Kaleli 38

  39. Countermeasures User Provider ▪ Configure browser settings ▪ Trim HTTP Referer to only ▪ Use browser extensions display the hostname ▪ Use private browsing mode ▪ Use rel=”noreferrer” (on Firefox) ▪ Redirect links inside documents Beliz Kaleli 39

  40. Future Steps ▪ Analyze different browsers and OCSs ▪ Investigate whether this vulnerability is known ▪ Embed links to several real-world websites ▪ Analyze the use of information ▪ Fill files with fake sensitive data Beliz Kaleli 40

Recommend

DIMVA 2019 June 19-20, 2019 Welcome from the General Chair 16th Conference on Detection of

DIMVA 2019 June 19-20, 2019 Welcome from the General Chair 16th Conference on Detection of

Gothenburg, Sweden DIMVA 2019 June 19-20, 2019 Welcome from the General Chair 16th Conference on Detection of Intrusions and Malware &amp; Vulnerability Assessment Magnus Almgren Chalmers University of Technology Sweden DIMVA 2019 Thanks to

345 views • 23 slides
The Libel Perils of Publishing a Print and/or Online Newspaper Tom Cronin October 4, 2019

The Libel Perils of Publishing a Print and/or Online Newspaper Tom Cronin October 4, 2019

The Libel Perils of Publishing a Print and/or Online Newspaper Tom Cronin October 4, 2019 Presenter Tom Cronin Partner - Gordon Rees Scully Mansukhani LLP Chicago 2 3 TOPICAL OVERVIEW Defamation and Libel Generally Liability for Newspaper

855 views • 50 slides
Businesses and Tax The Perils of Perception October 2015 Business and Tax Perils of

Businesses and Tax The Perils of Perception October 2015 Business and Tax Perils of

Businesses and Tax The Perils of Perception October 2015 Business and Tax Perils of Perception | October 2015 | FINAL | Public 1 Business contributes the largest proportion of tax of any group of tax payers (29%), yet people massively

270 views • 14 slides
Bintrimmer: Towards Static Binary Debloating Through Abstract Interpretation DIMVA, June 19 th

Bintrimmer: Towards Static Binary Debloating Through Abstract Interpretation DIMVA, June 19 th

Bintrimmer: Towards Static Binary Debloating Through Abstract Interpretation DIMVA, June 19 th 2019 Nilo Redini Computer Science @ UC Santa Barbara nredini@cs.ucsb.edu Motivation - Software complexity pushes developers toward component

958 views • 50 slides
The Promise and Perils of AI and Big Data in the City October 29, 2019 Martino Tran PhD

The Promise and Perils of AI and Big Data in the City October 29, 2019 Martino Tran PhD

The Promise and Perils of AI and Big Data in the City October 29, 2019 Martino Tran PhD Principle Investigator, Urban Predictive Analytics Lab Assistant Professor, School of Community &amp; Regional Planning, UBC 1 The rise of cities Urban

290 views • 12 slides
Disclosures I have no disclosures. CNS INFECTIONS: PEARLS AND PERILS Felicia Chow, MD, MAS

Disclosures I have no disclosures. CNS INFECTIONS: PEARLS AND PERILS Felicia Chow, MD, MAS

3/12/2019 Disclosures I have no disclosures. CNS INFECTIONS: PEARLS AND PERILS Felicia Chow, MD, MAS Assistant Professor University of California, San Francisco March 28, 2019

392 views • 17 slides
Preservation by Prevention Avoiding Losses from Catastrophes &amp; Common Perils October 5 th 2019

Preservation by Prevention Avoiding Losses from Catastrophes &amp; Common Perils October 5 th 2019

Preservation by Prevention Avoiding Losses from Catastrophes &amp; Common Perils October 5 th 2019 Sheila E. Courtney scourtney@pureinsurance.com WATER DAMAGE CLAIMS COST U.S. INSURANCE COMPANIES $10 BILLION A YEAR PURE Insurance | 3 TOILET

352 views • 18 slides
The Perils of Poor Communication Paul Kenny Pensions Ombudsman Perils of Poor communication

The Perils of Poor Communication Paul Kenny Pensions Ombudsman Perils of Poor communication

The Perils of Poor Communication Paul Kenny Pensions Ombudsman Perils of Poor communication (Its the way you tell it..) www.iapf.ie More confusion and more complaints result from poor communication than from almost any other single

408 views • 18 slides
Outline Background on Ketamine The Promise and Perils of Ketamine The Promise

Outline Background on Ketamine The Promise and Perils of Ketamine The Promise

Outline Background on Ketamine The Promise and Perils of Ketamine The Promise Single Infusion Therapy for TRD, Suicidal in Psychiatric Practice Ideation, PTSD Continuation Therapy Sanjay J. Mathew, MD The Perils

577 views • 9 slides
SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security

SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security

SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security Sanjeev Das , Jan Werner, Manos Antonakakis, Michalis Polychronakis, and Fabian Monrose SoK: The Challenges, Pitfalls, and Perils of Using Hardware

529 views • 28 slides
How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

Pro rotection a and S d Securi rity How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million veteran s data Data on laptop stolen from employee s home (5/06) Veterans names Social Security

580 views • 30 slides
Understanding the Security of Traffic Signal Infrastructure Zhenyu Ning , Fengwei Zhang, and

Understanding the Security of Traffic Signal Infrastructure Zhenyu Ning , Fengwei Zhang, and

Understanding the Security of Traffic Signal Infrastructure Zhenyu Ning , Fengwei Zhang, and Stephen Remias COMPASS Lab Wayne State University DIMVA, June 19, 2019 Understanding the Security of Traffic Signal Infrastructure, DIMVA 19 1

906 views • 51 slides
Understanding the Security of Traffic Signal Infrastructure Zhenyu Ning , Fengwei Zhang, and

Understanding the Security of Traffic Signal Infrastructure Zhenyu Ning , Fengwei Zhang, and

Understanding the Security of Traffic Signal Infrastructure Zhenyu Ning , Fengwei Zhang, and Stephen Remias COMPASS Lab Wayne State University DIMVA, June 19, 2019 Understanding the Security of Traffic Signal Infrastructure, DIMVA 19 1

952 views • 53 slides
How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

Protection tion and Se Secur urity ity How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million veterans data Data on laptop stolen from employees home (5/06) Veterans names Social Security

619 views • 27 slides
Capitol View V O L U M E 2 , N U M B E R 6 M A R C H 2 0 0 4 PERILS OF PAULINE: THE

Capitol View V O L U M E 2 , N U M B E R 6 M A R C H 2 0 0 4 PERILS OF PAULINE: THE

Capitol View V O L U M E 2 , N U M B E R 6 M A R C H 2 0 0 4 PERILS OF PAULINE: THE ADVENTURES OF THE ENERGY BILL On March 4, 2004 the Chairman of the Senate Energy Committee, Pete Domenici (R-NM), stated that he hopes Congress can

181 views • 7 slides
Past Perils Promise Happy Birthday Zoning: 1916-2016 Recent Challenges to Zoning Case Law

Past Perils Promise Happy Birthday Zoning: 1916-2016 Recent Challenges to Zoning Case Law

Welcome to Pace Law School A conference celebrating its past, acknowledging its perils, and anticipating its promise. Past Perils Promise Happy Birthday Zoning: 1916-2016 Recent Challenges to Zoning Case Law Update Patricia E. Salkin,

1.39k views • 78 slides
You are leaking metadata! Asbjrn Reglund.com Thorsen 10.06.2016 EUNIS, Thessaloniki About me

You are leaking metadata! Asbjrn Reglund.com Thorsen 10.06.2016 EUNIS, Thessaloniki About me

hEp://www.observeit.com/blog/throw-back-hack-the-infamous-aol-data-leak You are leaking metadata! Asbjrn Reglund.com Thorsen 10.06.2016 EUNIS, Thessaloniki About me Work as head of group at FSAT in Norway PenetraQon tester since 2008

337 views • 31 slides
How DGD.online helps prepare DG documentation easily CIFFA Webinar, June 25, 2019 DGD.online

How DGD.online helps prepare DG documentation easily CIFFA Webinar, June 25, 2019 DGD.online

How DGD.online helps prepare DG documentation easily CIFFA Webinar, June 25, 2019 DGD.online the new cloud application from Lufthansa Cargo All dangerous goods. All modes of transport. One tool. DGD.online DGD.online DGD.online Prepare

140 views • 13 slides
Detecting Unknown Network Attacks using Language Models Konrad Rieck and Pavel Laskov DIMVA

Detecting Unknown Network Attacks using Language Models Konrad Rieck and Pavel Laskov DIMVA

Detecting Unknown Network Attacks using Language Models Konrad Rieck and Pavel Laskov DIMVA 2006, July 13/14 Berlin, Germany The zero-day problem How to distinguish normal from unknown ? GET /dimva06/john/martin.html Accept: */*

300 views • 16 slides
Phoenix: DGA-based Botnet Tracking and Intelligence DIMVA 2014 July 11, 2014 Royal Holloway,

Phoenix: DGA-based Botnet Tracking and Intelligence DIMVA 2014 July 11, 2014 Royal Holloway,

Phoenix: DGA-based Botnet Tracking and Intelligence DIMVA 2014 July 11, 2014 Royal Holloway, University of London, UK Stefano Schiavoni Politecnico di Milano, Italy and Google, UK @sschiav, sschiavoni@google.com Federico Maggi ,

1.39k views • 60 slides
Leaking in the Public Interest a Presentation to the Ad-hoc Committee on the Protection of

Leaking in the Public Interest a Presentation to the Ad-hoc Committee on the Protection of

Leaking in the Public Interest a Presentation to the Ad-hoc Committee on the Protection of Information Bill M&amp;G Centre for Investigative Journalism , a non-profit initiative to enhance capacity for investigative journalism in the public

383 views • 36 slides
Lumps, Bumps, Leaking and Pain Management of Breast Conditions Rebecca A. Jackson, MD Professor

Lumps, Bumps, Leaking and Pain Management of Breast Conditions Rebecca A. Jackson, MD Professor

Lumps, Bumps, Leaking and Pain Management of Breast Conditions Rebecca A. Jackson, MD Professor Department of Obstetrics, Gynecology and Reproductive Sciences University of California, San Francisco I HAVE NO DISCLOSURES Plan Palpable

565 views • 32 slides
Large-scale Analysis of Infrastructure-leaking DNS Servers Dennis Tatang , Carl Schneider,

Large-scale Analysis of Infrastructure-leaking DNS Servers Dennis Tatang , Carl Schneider,

Large-scale Analysis of Infrastructure-leaking DNS Servers Dennis Tatang , Carl Schneider, Thorsten Holz Ruhr-University Bochum, Germany Motivation DNS: www.rub.de 134.147.64.10 Daily use on the Internet by every user Various

422 views • 27 slides
Lumps, Bumps, Leaking and Pain Management of Breast Conditions Rebecca A. Jackson, MD Professor

Lumps, Bumps, Leaking and Pain Management of Breast Conditions Rebecca A. Jackson, MD Professor

10/9/15 Lumps, Bumps, Leaking and Pain Management of Breast Conditions Rebecca A. Jackson, MD Professor Department of Obstetrics, Gynecology and Reproductive Sciences University of California, San Francisco I HAVE NO DISCLOSURES 1 10/9/15

486 views • 33 slides

More recommend