Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Chrome and Safari users open to stealth HTML5 Application Cache attack
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Mon, 28 Jun 2010 17:53:14 -0700

On unsecured networks, attackers could stealthily
create malicious Application Caches in the browser of victims for even HTTPS
sites. It has always been possible to poison the browser cache and
compromise the victim's account for HTTP based sites.
With HTML5 Application Cache, it is possible to poison the cache of even
HTTPS sites.

Is it agreed that if the above is true -- meaning, separation doesn't
actually exist -- then there's a bug?

My understanding is that this refers to the ability to poison
http://www.mybank.com - which may be the default destination for a
good percentage of users - even if the only function of this page is
to redirect directly to https://www.mybank.com.

There should be no ability to use cache manifests delivered over http
to inject content into the https origin, or at least I hope so.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]