A clickjacking vulnerability in Google’s Chrome web browser could make it possible for attackers to pilfer users’ email addresses, their first and last names and other information.
The clickjacking, or UI redress vulnerability, issue ended up detailed earlier this week, along with another separate data extraction method, by Italian security researcher Luca De Fulgentis, who writes about security for Nibble Security’s blog.
De Fulgentis showed how an attacker could extract user’s information with the help of a malicious page using information on a page from Google’s support forums. If logged in, users’ email addresses, names and profile picture URL can end up extracted from the browser via support.google.com, while similar user information can end up pulled from from web resources belonging to Microsoft’s Live.com and Yahoo!’s Profiles pages.
De Fulgentis said another data extraction technique: A two-step drag and drop method that relies on users letting Chrome publish their data publicly.
“Instead of a cross-origin drag & drop, the victim is tricked to perform a same-origin action, where the dragged content belongs to a vulnerable web page of the targeted application and the “dropper” is a form (text area, input text field, etc.) located on the same domain,” De Fulgentis said.
Essentially information that should be private ends up public via two flaws: If the user is on a website that doesn’t protect information by X-Frame-Options – the response header that ensures information does not embed into other sites and if that site remains affected by clickjacking.
De Fulgentis said this technique can also execute in Chrome on Amazon.com. Using the aforementioned method, an attacker could publish the user’s information as a comment for an Amazon item.
Since Amazon’s site doesn’t protect user’s information with an X-Frame-Options header, information like user’s email address and mobile number could suffer exposure under the right conditions.