Fixed bug could allow attackers to extract sensitive information

A recently-patched security hole in Chromium browsers allowed attackers to bypass safeguards against dangling markup injection’, an attack that extracts sensitive information from webpages.

While dangling markup injection is well-known and -addressed in Chromium browsers, the new attack took advantage of an unaddressed case in how the browser upgrades unsafe HTTP connections.

Extracting sensitive markup

Dangling markup injection captures data cross-domain in situations where full cross-site scripting (XSS) attacks aren’t possible.

If an application doesn’t sanitize user-supplied data before integrating it into the markup, an attacker can take advantage to force the page to send some of the page’s markup to their own server.

For example, the attacker can inject HTML markup that includes a specially crafted <img> element that invokes a resource on the attacker’s server and sends HTML markup on the page as the query string to the server.

The Chromium team has been patching dangling markup injection bugs since 2017 and has added restrictions to escape or remove HTML markup inserted into URL strings.

Safe connection, unsafe markup

Chromium also has another security feature that upgrades unsafe HTTP protocols used in the HTML markup.

For example, if the src attribute of an <img> tag refers to an HTTP address, the browser automatically upgrades it to HTTPS to enforce encrypted connections.

SeungJu Oh, the security researcher who reported the new bug, discovered that when the browser upgrades an in-page URL from HTTP to HTTPS, it bypasses the dangling markup injection safeguards.

As a result, if an attacker provides a dangling markup injection string that uses the HTTP scheme, it will not go through the dangling markup injection sanitization process when the URL is upgraded to HTTPS.

Oh provided a proof of concept with an <img> tag, but also said that the same scheme works with audio, video, and possibly more tags.

“This allows attackers to get personal information by leaking the user’s content when [the] script is unavailable due to security elements such as CSP,” Oh writes.

According to the conversation thread in the Chromium bug report platform, the function that switches the URL protocol to HTTPS causes the dangling markup flag to become false, which in turn bypasses the security checks on the URL string. The bug has been patched in the new version of Chromium-based browsers.

The findings further highlight the necessity to sanitize user input before integrating it into the markup.

It is also a reminder of the complexities of managing the security of products that have many moving parts.

Sometimes, a security fix in one part of the program can break the safeguards in another, as Chromium’s latest dangling markup injection vulnerability shows.

YOU MAY ALSO LIKE UnRAR path traversal flaw can lead to RCE in Zimbra