The browser then, with the user’s credentials, loads the victim’s email list back to the attacker where the exploit downloads individual email messages. In an example, Pynnonen demonstrates how after the application is loaded, it accesses a special URL on the attacker’s site and is returned a 301 redirection to Gmail.
“When using the dotless decimal notation, a crossdomain.xml file granting full access is required on the attacker’s website.”Ĭrossdomain.xml files can extend policies that prevent this kind of outside access. “In some cases (plugin/browser versions) a dotless decimal form of the target sites’s IP address must be used instead of the human-readable host name,” Pynnonen explains. Pynnonen said a malicious app loaded from the attacker’s site would force the victim’s browser to redirect to a specially crafted URL, something that is supposed to be denied by the Unity app, but is instead allowed. Exploiting this vulnerability in Internet Explorer, for example, allows an attacker to read locally stored files, Pynnonen said. Pynnonen explains that the vulnerability allows the malicious Unity app to bypass cross-domain policies in place that prevent apps from accessing URLs and other resources from outside websites or the local filesystem. “Without this modification, the Unity app simply won’t start.”Īn attacker exploiting the vulnerability would first have to lure the victim to the attacker’s site hosting the malicious Unity app, or inject the app onto a legitimate site or Facebook game, for example. This possibly will be removed later,” Pynnonen said. In order to run the plugin, you’d have to do a modification in the settings. “Chrome’s decision mitigates it quite a lot. In addition to the Unity Web Player being off by default (it can be re-enabled in settings for the time being before Google likely permanently disallows it), the move to shut off NPAPI affects other plugins including Java and Silverlight which are now also off by default. Testing Bug Game build Alpha Beta Gold Patch DLC Abandonware Play-through testing Unit testing Break testing WebGL Unity Web Player Standalone Review Quiz 1. Unity Technologies said the player has been downloaded more than 125 million times.ĭespite its prevalence, a recent decision by Google to disable in Chrome 42 the NPAPI, a ’90s-era API that is notorious for crashes and poses some security concerns, mitigates this vulnerability to a large extent. Facebook also uses the Unity Web Player in many of its games and has an SDK it offers to embed Facebook features in games. Unity Technologies develops the Unity Web Player alongside its game engine used to develop games for Windows PCs, Mac OS X machines, gaming consoles and mobile devices. Pynnonen said Unity Technologies today acknowledged the bug reports and is working on a patch and improving its security response. The partial disclosure was made after nearly six months of bug-report submissions from Finnish researcher Jouko Pynnonen to Unity that went unanswered. Some detail has been disclosed about a zero-day vulnerability in the Unity Web Player browser plugin that can allow an attacker to use a victim’s credentials to read messages or otherwise abuse their access to online services.
0 kommentar(er)
