The web browser has come a long way since its invention in late 1990. Google Chrome, Mozilla Firefox, Apple Safari and Microsoft Explorer/Edge have now taken the world by storm with their evolving user-friendly features. They have boosted productivity significantly thanks to their seamless integration with leading third-party applications and plug-ins. Unfortunately, web browser security is an aspect that is overlooked more often than not.
The intrusive nature of browser-based applications has revolutionized the way we use the internet, but also opened up a plethora of vulnerabilities and security gaps that hackers are exploiting on a widespread basis. Generally speaking, the majority of these security loopholes can be traced back to bad code integrity and insecure coding practices. This article will touch on the issues and address the solution.
Israeli security researcher Guy Aharonovsky found a glaring flaw in the Chrome speech API which could potentially let hackers eavesdrop on the victim via his computer’s microphone. This vulnerability was exposed in version 11 of the Chromium OS. Millions of users worldwide are still using this exploitable version of the popular browser. But this was just the tip of the iceberg.
Aharonovsky found and reported many more flaws that are yet to be fixed by Google. A webcam POC was published in detail by Aharonovsky in his blog after Google decided to make his report public.
Webcam spying with Google Chrome. Source: Guy Aharonovsky
The vulnerability in the spotlight is called Popjacking, which is basically the execution of the traditional Clickjacking with the help of malicious popups in the web browser. Aharonovsky goes so far as to call this technique as the “most overlooked flaw in web/mobile browsers”. The problem is of severe nature since Chrome doesn’t really indicate that the website is using the webcam.
It’s a straightforward sequence. The victim sees a popup window where fake info-bars are shown. These malicious popup windows can be crafted as per the hacker’s desire. The more expertise he has, the less suspicious the window looks. Once clicked, the approval is given, the webcam is activated without the victim’s knowledge and the hacker can even record the video feed from the infected device.
With close to a billion users worldwide, WhatsApp has taken the world by storm. Over 200 million users have already signed up for the Web version, where Checkpoint has exposed a glaring vulnerability.
Security researcher Kasif Dekel found a problem in the ability of the web application to filter contact card (vCard format) attachments. These seemingly harmless attachments can be pre-loaded with malicious code and cause problems for users with the vulnerable versions of the application. No proper validation is performed, enabling the execution of the payload.
The WhatsApp developers have acknowledged the aforementioned vulnerability and released a patch for the problem. Make sure you are using version 0.1.4481 or above.
Mozilla’s open-source tool for tracking “bugs”, commonly known as Bugzilla, was hacked earlier this year. The leaked information about 185 coding errors and flaws were used by the hackers to attack Firefox users. This breach was considered extremely severe, since the Firefox browser is used by around 20% of the internet users worldwide. Its also showed how bad the web browser security situation really is.
Browsers consist of a wide range of vulnerable software components that are often found vulnerable by security researchers, ethical hackers and malicious attackers. These include:
ActiveX – Web pages use ActiveX components that reside on the Windows system to boost functionality in the Explorer browser. But when not properly implemented, vulnerabilities pop up because the attack surface is significantly increased. Installing Windows applications typically allows the installation of new ActiveX controls, introducing potential buffer overflow and remote code execution vulnerabilities.
The ActiveX Vulnerability Notes Database shows how fragile this mechanism can become if not developed securely and configured properly before implementation.
Java – The Java Virtual Machine (JVM) executes Java code (applet) provided by the websites to display active content. Java applets are typically executed within secure “sandboxes”, limiting interaction with system resources. But poor implementations and configurations can lead to vulnerabilities that can let the hacker bypass the “sandbox”and execute malicious scripts.
Plugins – Just like ActiveX components, plugins are basically applications that are developed to be used within the web browser. One such commonly used plugin is the Adobe Flash plugin. While extremely useful in improving functionality and usability, Adobe and other leading plugins have numerous programming and design flaws that can be easily exploited.
Cookies – Cookies are files stored on the computer to work with specific websites. They contain data about previously visited websites, user credentials and other private data. Cookies also help uniquely identify website users by providing authentication. When not stored securely, hackers can harvest cookies to perform identity and data theft. This problem is more serious when persistent/stored cookies are used.
The aforementioned software components are only a few of the browser-related targets that hackers can potentially exploit. Needless to say, secure application development is becoming more and more crucial as the importance of web browser security rises. Cybercrime has to be fought from the early stages of development. This is where Static Code Analysis (SCA) comes into play.
As evident in the infographic above, vulnerability remediation early in the development process avoids a lot of technical/legal issues and saves the organization a lot of money.
With vulnerabilities galore in web browsers, applications and the various plugins/add-ons, its becoming clear that code integrity has to be improved across the board. While there is currently no browser-related security standard, protocols are being devised. One such initiative is the Web Browser Testing System (WBTS), which will ideally help automate the testing of browsers and user-agents.
But even without dedicated protocols and security standards secure application code can be produced by working in a secure SDLC, where the testing is integrated into the developer’s environment and daily routine. This is typically created by using Static Application Security Testing (SAST) solutions, such as the aforementioned Static Code Analysis (SCA). The benefits include:
While SAST methods such as Static Code Analysis (SCA) can help create a secure SDLC in organizations, it’s always recommended to compliment it with other security solutions to improve the robustness of the application code. One such example is the use of Static Analysis during the development stage and complimenting it in the pre-release stage with a few cycles of Pen Testing.
With more and more users performing their daily chores via their web and mobile browsers, web browser security has to be taken seriously. Secure application code is the call of the day.
OWASP is currently devising a security protocol specifically for development related to browsers. This Browser Security ACID Tests Project will soon be accessible to developers worldwide, who can implement a pre-determined suite of test cases to improve security standards.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.