Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Attackers can use ‘Scroll to Text Fragment’ web browser feature to steal data – research

Scroll to Text Fragment (STTF), a feature that can be used to directly browse to a specific text fragment on a webpage, can be exploited to leak sensitive user information, a security researcher has found.

The exploit, discovered by SecForce’s Maciej Piechota, uses CSS selectors to extract information from the web page and send them to a server controlled by the attacker.

Users can use the STTF feature by using the ‘#:~:text’ identifier and appending a text string to the URL of a webpage. If the string exists on the page, the browser will directly scroll to it and highlight the relevant section.

Exfiltrating data using STTF

“I received a link from a friend which included Scroll to Text Fragment and I started wondering how the highlighting is done on the successful scroll and if it could be customized somehow,” Piechota told The Daily Swig.

STTF uses a special CSS directive to highlight the target text. Piechota found that if a page has a CSS injection vulnerability, an attacker can manipulate style specifications to cause the browser to send data to an attacker-controlled server through attributes that support the ‘url’ function.

“This issue is an example of malicious misuse of a feature, rather than a vulnerability,” Piechota said.

In his write-up of the exploit, Piechota details three different kinds of attacks using the STTF feature. In one proof of concept, the adversary sends a specially crafted URL that reveals to the attacker’s server whether the target is an administrator.

“All of attacks target and can exfiltrate data that is visible on the currently browsed website by the victim,” Piechota said.

STTF was designed with security features to prevent the exfiltration of secret/random data. It also requires user interaction to avoid automated attacks.

Attackers can circumvent some of these safeguards by exploiting the victim’s lack of security awareness via social engineering. Piechota also discovered that an attacker could exploit browser extensions such as adblockers to imitate user clicks, which is needed for the STTF feature to work.

One of the PoCs uses the STTF scheme to reveal the recovery seed phrase of the victim’s cryptocurrency wallet.

Targeted attacks

“I would say this technique is handy in two scenarios,” Piechota said. “First: when the attackers find a vulnerability on the site and want to target the administrator out of a group of all users unknown to them.

“Second: when the attacker knows the victim and needs answers to specific questions, like ‘do[es] the victim have 2FA enabled?’, or, ‘Did they receive the offer from company A?’”

According to Piechota, like many cross-site leak (XS-Leak) attacks, the STTF exploit requires some level of social engineering to lure the victim to visit the attacker’s page. “In this case even more so, as we would need to lure the victim to execute certain actions,” he said.

Piechota warned that developers should be aware that even innocent-looking browser features can be exploited by sophisticated attackers. The STTF leak shows that CSS injection bugs can lead to powerful attacks.

Advertisement. Scroll to continue reading.

“For the users, it’s the same old story – think before opening a link and use up-to-date software,” Piechota said.

Source: https://portswigger.net/daily-swig/attackers-can-use-scroll-to-text-fragment-web-browser-feature-to-steal-data-research

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Belgium became a haven for ethical hackers following the adoption of a nationwide safe harbor agreement last month. The framework means that well-intentioned security researchers are free...

Cyber Security

Twitter faced further criticism this week when Elon Musk’s social networking platform announced SMS-based 2FA will only be available to paying customers going forward....

Cyber Security

HAProxy, the popular open source load balancer and reverse proxy, has patched a bug that could enable attackers to stage HTTP request smuggling attacks. By sending a maliciously...

Cyber Security

KeePass has become the latest password manager utility obliged to defend its reputation following the discovery of an alleged vulnerability. Security researchers warned that it might be...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO