JVNDB-2020-018328

Falsification and eavesdropping of contents across multiple websites via Web Rehosting services

Researchers at NTT Secure Platform Laboratories and Waseda University have identified multiple security issues that lead to content being tampered with and eavesdropped on a service called Web Rehosting. These issues have been published in NDSS 2020.

"Web Rehosting" is the name of a group of web services proposed in this study, which has the function of retrieving content from a user-specified website and hosting it again on its server.
Web rehosting includes a web proxy service that allows users to specify the URLs they want to view from the web interface, a web translation service that translates the entire website and a web archive service that stores snapshots of the website.

If a web rehosting service does not take measures against the attacks listed in this advisory, there is a risk that some of the browser resources of users may be manipulated by an attacker, resulting in a security and privacy violation.

Web rehosting service owners can refer to the "Solution" section for countermeasures.

Please refer to JVNTA#96129397 for more details.

This document was written by Takuya Watanabe, Eitaro Shioji, Mitsuaki Akiyama (NTT Secure Platform Laboratories), and JPCERT/CC to alert service providers and users.

Web rehosting service user's browser.

(Multiple Venders)

• (Multiple Products)

(I) Persistent-MITM
Service Worker and AppCache on a malicious website accessed through a web rehosting service can permanently work on the user's browser. This could be exploited to conduct a man-in-the-middle attack.

(II) Privilege Abuse
When a user gives permissions of access to resources such as cameras and location data to a website accessed through a web rehosting service, the same permissions can be applied to the subsequently rehosted malicious website. Therefore, the permissions could be reused by the malicious website.

(III) Credential Theft
When a user logs into a website via web rehosting and saves their credentials (e.g. ID and password) in the browser, the password manager automatically fills the forms with stored credentials when the user accesses a malicious website through the web rehosting service.

(IV) History Theft
A rehosted malicious website can access and steal localStorage or cookie data from another website previously accessed through the same web rehosting service. Such information can be used to guess sensitive information such as browsing history.

(V) Session Hijacking and Injection
In Session Hijacking, attackers steal session cookies of others to log in to their SNS or EC sites. Attackers can steal personal information of the victim users and impersonate them. In Session Injection, a victim user is forced to log in to a website with an account prepared by an attacker, and the attacker tracks the victim user's activities(e.g. search/viewing history) and steals personal information.

Web rehosting services should implement the following countermeasures:

Set a different subdomain for each rehosted website
This countermeasure is effective against all types of attacks above.

Set up a different subdomain for each rehosted website to ensure the Same Origin Policy.

e.g.
(https://rehosted.example/?url=a.example)
(https://rehosted.example/?url=b.example)
￬
(https://a-example.rehosted.example/)
(https://b-example.rehosted.example/)

Set a temporarily URL for each rehosted website
This countermeasure is effective against all types of attacks above.

For example, temporary token makes the URL of a rehosted website inaccessible to an attacker. However, this method cannot be used in services in which URLs are shared among multiple users, such as web archives.

Disable Service Worker and AppCache
This countermeasure is effective against the attack (I).

When loading Service Worker, the request header of the website includes Service-Worker: script field. Removing this field prevents a malicious Service Worker from being installed in the user's browser.
To prevent malicious AppCache behavior, refuse to rehost the cache manifest file required for AppCache.

In general, many web rehosting services do not support access to Service Worker or AppCache. This is because rehosting the website changes the URL. URLs pre-defined for Service Worker and AppCache become unusable. An attack can only be successful when the attacker successfully predicts the URL that will be given to the malicious Service Worker or AppCache. In other words, the Service Worker and AppCache of a rehosted website can be abused, but they cannot be used for their intended function. Therefore, disabling Service Worker or AppCache does not interfere with the original purpose of the web rehosting service in most cases. However, please note that some services may become unavailable if the web rehosting service supports Service Work and/or App Cache.

Render the rehosted website in a sandboxed iframe
This countermeasure is effective against the attack (III).

Sandboxed iframe by sandbox attribute cannot request permissions. Web rehosting service can prevent malicious permission requests by displaying the rehosted website in the sandboxed iframe. This is already in place in some web rehosting services.

Set HttpOnly attribute to the session cookie
This countermeasure is effective against the attack (V).

Web rehosting service can prevent JavaScript from managing the session by adding HttpOnly attribute to the session cookie when relaying the cookie to the user's browser. HttpOnly is generally recommended as a countermeasure against session hijacking using XSS.


For web rehosting service users, the following measures are recommended:

Use private mode of your browser
This measure is effective against the attacks (I) to (V).

If you enable private mode in your browser while using the web rehosting service, each type of the attacks listed above is less likely to succeed because the data stored in Service Worker, cookies, and other resources are deleted every time the browser/tab is closed.

Do not log into websites on the web rehosting service
This measure is effective against the attacks (III) and (V).

Do not grant permissions on the web rehosting service
This measure is effective against the attack (II).

1. JVN : JVNTA#96129397
2. Related document : Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites

• [2024/09/12]
    Web page was published