[tahoe-dev] [tahoe-lafs] #615: Can JavaScript loaded from Tahoe access all your content which is loaded from Tahoe?

tahoe-lafs trac at tahoe-lafs.org
Thu Nov 15 02:50:38 UTC 2012 

#615: Can JavaScript loaded from Tahoe access all your content which is loaded
from Tahoe?
-------------------------+-------------------------------------------------
     Reporter:  zooko    |      Owner:  davidsarah
         Type:  defect   |     Status:  assigned
     Priority:           |  Milestone:  soon
  critical               |    Version:  1.3.0
    Component:  code-    |   Keywords:  newcaps confidentiality integrity
  frontend-web           |  preservation capleak gsoc
   Resolution:           |
Launchpad Bug:           |
-------------------------+-------------------------------------------------

Old description:

> Several web security experts (who will remain unnamed in this ticket
> since they have yet to show me a working exploit) have said that if have
> a page containing JavaScript in one window or tab of a web browser, and
> you have another page in a different window or tab of that browser, that
> the web browser will inspect the "origin" of the JavaScript and the
> "origin" of the other page to decide whether the JavaScript will be
> allowed to read or change parts of the other page (including its URL).
>
> By "origin", these web security experts tell me, web browsers mean "host
> and port number" (or possibly they look at only the top two elements of
> the host domain name).  Since all pages that are stored on tahoe and that
> you are viewing in a web browser are coming from the same host (sometimes
> localhost or 127.0.0.1) and port number, this means any JavaScript that
> you view through your tahoe node can access all the URLs of all the other
> pages you have loaded (or possibly have ever loaded since you launched
> your browser) from Tahoe.  (Furthermore, just to make things worse, these
> web security experts allege that it might be possible for the JavaScript
> program to ''stay running'' in your browser even after you close that tab
> or window and continue to access your other tabs or windows which were
> loaded from the same "origin".)
>
> If true, this is bad.  Because those other pages, while they are loaded
> from the same host and portnumber, could actually be from very different
> ''origins''.  One might be a cute game that you want to play that was
> passed along from a friend of a friend.  Another might be your personal
> finance database with all of your bank account numbers and billing
> information.  We would like it if the web browser would allow you to play
> the fun game in one window, and edit your personal finance document in
> another window, without giving the game the ability to read (and
> therefore to upload) or change your personal document.  Even though both
> pages were loaded from http://127.0.0.1:4567 or from
> http://testgrid.allmydata.org:3567 or whatever.
>
> In the long run it might be possible for us to arrange to do this, such
> as by embedding a unique string, possibly the verifycap or possibly an
> incrementing string, into the domain name, or by taking advantage of some
> not-yet-created mechanism to tell web browsers "No, no, these two things
> are of different origins even though they are loaded from the same host
> and port.".
>
> In the short run, it might be wise to avoid looking at pages in tahoe if
> they might have malicious content on them, unless you first turn off
> JavaScript in your web browser.  Hopefully someone will help us
> understand exactly how dangerous this situation is, by posting a working
> exploit or some sort of proof that is is safe.

New description:

 Several web security experts (who will remain unnamed in this ticket since
 they have yet to show me a working exploit) have said that if have a page
 containing JavaScript in one window or tab of a web browser, and you have
 another page in a different window or tab of that browser, that the web
 browser will inspect the "origin" of the JavaScript and the "origin" of
 the other page to decide whether the JavaScript will be allowed to read or
 change parts of the other page (including its URL).

 By "origin", these web security experts tell me, web browsers mean "host
 and port number" (or possibly they look at only the top two elements of
 the host domain name).  Since all pages that are stored on tahoe and that
 you are viewing in a web browser are coming from the same host (sometimes
 localhost or 127.0.0.1) and port number, this means any JavaScript that
 you view through your tahoe node can access all the URLs of all the other
 pages you have loaded (or possibly have ever loaded since you launched
 your browser) from Tahoe.  (Furthermore, just to make things worse, these
 web security experts allege that it might be possible for the JavaScript
 program to ''stay running'' in your browser even after you close that tab
 or window and continue to access your other tabs or windows which were
 loaded from the same "origin".)

 If true, this is bad.  Because those other pages, while they are loaded
 from the same host and portnumber, could actually be from very different
 ''origins''.  One might be a cute game that you want to play that was
 passed along from a friend of a friend.  Another might be your personal
 finance database with all of your bank account numbers and billing
 information.  We would like it if the web browser would allow you to play
 the fun game in one window, and edit your personal finance document in
 another window, without giving the game the ability to read (and therefore
 to upload) or change your personal document.  Even though both pages were
 loaded from http://127.0.0.1:4567 or from
 http://testgrid.allmydata.org:3567 or whatever.

 In the long run it might be possible for us to arrange to do this, such as
 by embedding a unique string, possibly the verifycap or possibly an
 incrementing string, into the domain name, or by taking advantage of some
 not-yet-created mechanism to tell web browsers "No, no, these two things
 are of different origins even though they are loaded from the same host
 and port.".

 In the short run, it might be wise to avoid looking at pages in tahoe if
 they might have malicious content on them, unless you first turn off
 JavaScript in your web browser.  Hopefully someone will help us understand
 exactly how dangerous this situation is, by posting a working exploit or
 some sort of proof that is is safe.

--

Comment (by nejucomo):

 While this ticket is about "accessing all your content" such as recovering
 the caps of victims, an attacker has a bootstrapping problem.  Attack
 scripts must either:

 * Run in the same origin as the tahoe gateway; or
 * Violate security guarantees despite the same origin policy.

 I've just posted a proof-of-concept attack in #1859 which can inject js
 into the tahoe grid and then execute it, starting from any domain.
 Therefore the latter attack approach can be upgraded to the former.

-- 
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/615#comment:27>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage

More information about the tahoe-dev mailing list