The ad security firm, Confiant carried out new research. The results were a little disturbing as they showed that secure contexts like sandboxed iframes may not be as secure as they are thought to be! They allow drive-by-downloads that may subject the system to cyber-attack.
A drive-by-download is spontaneous downloading that begins when a user visits a site and a file starts downloading without ever taking the permission of the user.
This technique is quite dangerous because it can be misused to infect the user with some unwanted or corrupted software or malicious program. Such things sometimes prompt users to download or click on things that will bring harm to their system.
Usually, these issues occur because of integrating more content on web pages. This content often comes from third parties like social networks, ads, widgets, etc.
When a web page has more content like this, it usually helps the webpage grow in size, but it also displays some things to the users that are not completely controllable.
Some of these external contents, like advertisements, are integrated through the <iframe> tag. Now, these are things that have a great security risk, so to make things more secure for the users, W3C added the ‘Sandbox’ attribute in the HTML specifications. This attribute limits the action from an iframe within a web page and makes it quite secure and protected.
Despite the precautions, in January 2020, the a news site got hacked and a malicious script was injected that started displaying original looking but fake Google Play Protect and Adobe Flash overlays to the users. These overlays would prompt the users to download a malicious APK file that would install the Anubis banking Trojan on Android and web devices.
It was initially construed as a mal-advertising campaign, but Confiant’s researcher Eliya Stein found out that these drive-by-downloads were initiated by the JavaScript embedded in the page.
Stein decided to check if the same script could cause a drive-by-download of an APK file in sandboxed cross-origin iframes.
A cross-origin iframe is basically an iframe having a different hostname.
Stein created a proof-of-concept page to test different browsers. This special sandboxed iframe had all those restrictions that are normally used by ads.
The conclusion was that Chrome 83 and Microsoft Edge both block the sandboxed cross-origin iframes, so the drive-by-download technique cannot work unless downloads are manually ‘allowed’ by a developer to the sandbox value.
However, Mozilla Firefox and Brave do not prevent the downloads in cross-origin iframes. While Safari would try to download the APK file but thankfully does not complete the procedure.
Mozilla Firefox’s developers later completed the code to block downloads in sandboxed iframes and this code will be added to the browser soon, which is a good step.
Some Android browsers would prompt the user to download the file but issue a warning that the file could be dangerous, and the rest of the mobile browsers showed inconsistent behavior.
Read next: Saving Edited PDFs on Google Chrome Will Now Be Easier Than Ever Before
A drive-by-download is spontaneous downloading that begins when a user visits a site and a file starts downloading without ever taking the permission of the user.
This technique is quite dangerous because it can be misused to infect the user with some unwanted or corrupted software or malicious program. Such things sometimes prompt users to download or click on things that will bring harm to their system.
Usually, these issues occur because of integrating more content on web pages. This content often comes from third parties like social networks, ads, widgets, etc.
When a web page has more content like this, it usually helps the webpage grow in size, but it also displays some things to the users that are not completely controllable.
Some of these external contents, like advertisements, are integrated through the <iframe> tag. Now, these are things that have a great security risk, so to make things more secure for the users, W3C added the ‘Sandbox’ attribute in the HTML specifications. This attribute limits the action from an iframe within a web page and makes it quite secure and protected.
Despite the precautions, in January 2020, the a news site got hacked and a malicious script was injected that started displaying original looking but fake Google Play Protect and Adobe Flash overlays to the users. These overlays would prompt the users to download a malicious APK file that would install the Anubis banking Trojan on Android and web devices.
It was initially construed as a mal-advertising campaign, but Confiant’s researcher Eliya Stein found out that these drive-by-downloads were initiated by the JavaScript embedded in the page.
Stein decided to check if the same script could cause a drive-by-download of an APK file in sandboxed cross-origin iframes.
A cross-origin iframe is basically an iframe having a different hostname.
Stein created a proof-of-concept page to test different browsers. This special sandboxed iframe had all those restrictions that are normally used by ads.
The conclusion was that Chrome 83 and Microsoft Edge both block the sandboxed cross-origin iframes, so the drive-by-download technique cannot work unless downloads are manually ‘allowed’ by a developer to the sandbox value.
However, Mozilla Firefox and Brave do not prevent the downloads in cross-origin iframes. While Safari would try to download the APK file but thankfully does not complete the procedure.
Mozilla Firefox’s developers later completed the code to block downloads in sandboxed iframes and this code will be added to the browser soon, which is a good step.
Some Android browsers would prompt the user to download the file but issue a warning that the file could be dangerous, and the rest of the mobile browsers showed inconsistent behavior.
Read next: Saving Edited PDFs on Google Chrome Will Now Be Easier Than Ever Before