This is a follow-up to [0] and [1]. Last night, I wrote: > It would probably be an interesting exercise to go through some more > dashboard widgets and grep for eval. I'd bet quite a bit that > there's much more out there. - The (top-50) facebook widget [2] uses the AllowFullAccess configuration option, which effectively means what it says. This widget also uses JSON to access numerous facebook functions, and eval() to parse the results. Most of facebook's API is accessed through plain HTTP, of course, so the discussion in [0] and [1] fully applies. It might be interesting to see whether one of the facebook JSON APIs is susceptible to cross-site-scripting attacks. The vulnerability is actually imported from the facebook API JavaScript library [7], and will affect any other JavaScript code that relies on that library. The following two are somewhat more shy with respect to the holes they blow into the dashboard's JavaScript sandbox, and therefore a bit less interesting: - The Hockey widget [3], currently presented as an Apple Staff Pick on [4], performs a lot of screen -- or rather, script -- scraping. Here's a little gem: var xmlResponse = xmlRequest.responseText; xmlResponse = xmlResponse.replace(/[\n\r]/g,""); var NHLatl = null; var gameData = xmlResponse.match(/script[^<]*var NHLatl.*?<\/script>/)[0].replace(/.*?var /,"").replace(/,\s*myScoresIcon.*/,"}"); eval(gameData); So, for a change, the threat is not due to JSON, but due to the use of eval to extract data from JavaScript embedded with some Web page out there. The privileges gaied with this one are a bit boring, as it's only the ability to go out on the network. But wait for the day on which AllowSystem is added in order to get Growl notifications of recent results! - The Flickr Interestingness widget [5] (unfortunately, these folks don't give a contact e-mail address) uses JSON with eval to check for the availability of upgrades, and to fetch data from the flickr API. This widget comes with the AllowInternetPlugins privilege, and is therefore another vector through which one could exercise, say, the latest QuickTime vulnerability. [6] 0. http://log.does-not-exist.org/archives/2007/12/03/2155_json_eval_owning_the_dashboard.html 1. http://www.securityfocus.com/archive/1/484542/30/0/threaded 2. http://www.apple.com/downloads/dashboard/email_messaging/facebookwidget.html 3. http://www.apple.com/downloads/dashboard/sports/hockeywidget.html 4. http://www.apple.com/downloads/dashboard/ 5. http://www.apple.com/downloads/dashboard/blogs_forums/flickrinterestingness.html 6. http://www.securityfocus.com/bid/26549 7. http://developersdigest.org/wordpress/?page_id=4 Cheers, -- Thomas Roessler, W3C <tlr@xxxxxx>
