Security Bits Logo no alpha channel

Security Bits — 16 May 2021

Feedback & Followups

  • Twitter is continuing its moves to nudge people on its platform towards being better netizens by adding a dialogue to their mobile app warning users when they use potentially abusive language in replies — www.macobserver.com/…
  • Facebook is pressing ahead with the controversial WhatsApp privacy policy change is postponed earlier in the year. The new policy shares more data between WhatsApp and Facebook. Users who don’t accept the new policy will get ever degrading service until they do — www.bleepingcomputer.com/…
  • 🇬🇧 Peer-reviewed research has backed previous estimates that the UK’s COVID tracking app which uses the Apple & Google API saved thousands of lives — www.imore.com/…
  • 🇺🇸 CISA Publishes Eviction Guidance for Networks Affected by SolarWinds and AD/M365 Compromise — us-cert.cisa.gov/…
  • CHIP, the collaboration between many of the big tech companies to define a single standard for home automation devices has launched, and it has a new name – Matter. Devices with the certification are expected to start shipping by the end of the year — www.imore.com/…

Deep Dive 1 — Cross-browser user tracking with Scheme Flooding

The distinctly grey-hat folks at FingerprintJS have done a very ethical and correct thing by disclosing a new collection of browser bugs that allow not just cross-site tracking even with all protections enabled, but even cross-browser tracking, detecting you as the same person even on different browsers on the same computer.

FingerprintJS’s entire business is built around building a permanent unique identifier based on browser fingerprinting. They could market this tech to ad agencies and tracking companies, but instead, they market it as a fraud protection tool. How much of a difference that choice of marketing approach makes in how their products get used, I have no idea!

But, given that it would be in their financial interest to keep the bugs they found secret, I do have to applaud them for choosing the good of the online community over short-term profits.

So, what did they find?

This is not a single bug, but instead, a collection of different bugs all related to the same technology, and all having pretty much the same effect.

URL Schemes

A URL starts with a URL Scheme followed by a :, we’re used to seeing things like http://` andhttps://`, but OSes allow for lots more URL schemes, and those URL schemes can be used to create links from the web into content in other apps, so-called deep linking. This is how it’s possible for a web page to open a specific meeting in Zoom for example — the page has a link using Zoom’s URL scheme, probably zoom://. Every app you install can choose to register a URL scheme with the OS, so the URL schemes that work tell you what apps are installed. If you don’t have Zoom installed, zoom:// URLs won’t work.

JavaScript Detection of Installed Apps

In theory, it should be impossible for JavaScript in a web page to know what URL schemes do or don’t work. When you click on a Zoom link the browser hands that request off to the OS, and there is no official API for telling JavaScript what happened. The problem is that each of the four main browsers has a bug that allows JavaScript to figure out whether or not the link opened, regardless of the intentional lack of an API for doing that.

This means that JavaScript can detect what apps are installed on a given computer. Combined with a few other signals like IP address and screen resolution, for example, this can easily leak enough information to make a reliable fingerprint of your computer, and what’s worse, a fingerprint that will be the same in any affected browser, and in private/incognito mode!

A proof of concept demo shows the technique working on Chrome, Firefox, Safari, and the TOR browser. However, there’s no reason to assume the same or similar flaws don’t exist in all Chromium, WebKit, and Firefox-based browsers, i.e., in just about every browser.

It’s Worse than Just Tracking, it’s also Profiling

The unique set of apps you have installed is not just a relatively unique fingerprint, it also says a lot about you! If you have Grindr installed you’re probably gay, if you have the Bank of Ireland app installed you probably bank with BOI, so you’re probably Irish or in Ireland, and, you might fall for some BOI-targeted phishing too!

Some Silver Linings

The most important thing to note is that these are implementation problems, not design flaws. Neither deep linking nor the browsers approach to it are fundamentally broken. The vendors simply have to fix a few un-intended data leaks, and we shouldn’t lose any functionality as a result of those fixes.

A second important silver lining is that for all of the affected browsers other than the TOR browser (ironically), the attack is not silent, a popup will be triggered for each URL scheme checked. TOR, unfortunately, does leak the data, but it also suppresses the popups, so the attack is silent there 🙁

We Just Have to Wait 🙁

For now, there is simply no way to protect from this vulnerability. We’re at the mercy of the browser vendors who will need to patch their browsers.

Links

Deep Dive 2 — 🧯 The AirTags are Fine

You’ve probably seen a lot of reporting that AirTags have been jailbroken, and, that the FindMy network has been ‘hacked’.

There’s truth behind both stories, but, there is also absolutely no need whatsoever to panic!

Firstly, the jailbreaking is difficult to do and requires physical access and advanced equipment. Basically, the attacker needs to zap the AirTag with exactly the right intensity of EM pulse at exactly the right point in the boot process to flip a proverbial switch and enable a debug mode that they can then use to access and alter the firmware. If they zap too softly or at the wrong time the switch doesn’t flip and they can’t access the firmware, and if they zap too hard the AirTag reboots again (or they get a fried AirTag).

So, while it is possible this technique will get refined, and someone could theoretically build a tool to make the jailbreak more reliable, it’s still going to involve an attacker physically connecting your AirTag to a device. Botton line — this is not something regular folks need to worry about, but it is yet another reason not to talk around with a tracker if you’re important enough to be of interest to some nation’s spies.

Secondly, the FindMy network hasn’t really been hacked. A German researcher has found a clever way to piggyback the transmission of a very small amount of data onto the regular BTLE check-in messages the tags send.

The only conceivable malicious use would be to sneak a small amount of data over an air gap very very slowly, but, it would need to be in a place that’s so secure it has air-gapped systems, and yet, allows people to carry around smartphones. I can’t think of anywhere that would be simultaneously so valued everything has to be Air Tagged and yet not valuable enough to make people leave their phones at the door.

Again, the bottom line is clear, absolutely nothing for us regular folk to worry about!

Links

❗ Action Alerts

Notable News

Excellent Explainers

  • A fantastic post by Glenn Fleishman that uses stories to illustrate what AirTags are good at, OK at, and what Apple need to improve — 13 AirTag Tracking Scenarios — tidbits.com/…
  • A nice explanation of what an Integer Overflow is using recent problems on the NY Stock Exchange caused by Warren Buffet’s Berkshire Hathaway being too valuable — nakedsecurity.sophos.com/…

Interesting Insights

  • Allison: Flurry Analytics are releasing daily numbers on what they are seeing in their network of apps in terms of users App Tracking Transparency settings — www.flurry.com/…

Palate Cleansers

  • 🎧 An excellent telling of the fascinating story of a multi-generational science experiment: Science Vs: A Seedy, Late-Night Adventure — overcast.fm/…

  • An excellent long-form article describing the efforts of current-day advisors to the World Health Organization and the fact that a 1955 book on tuberculosis lead us astray and prevented knowledge we should wear masks to protect from COVID-19: [The 60-Year-Old Scientific Screwup That Helped Covid Kill: Showtime’s Over

www.wired.com/…](https://www.wired.com/story/the-teeny-tiny-scientific-screwup-that-helped-covid-kill/)

  • Allison: My login for the US Federal tax payment website wasn’t working. I called the help desk. The voice recording said, and I swear I’m not making this up:
    > We can no longer accept web browsers using SSL V3 or TLS 1.0. Please update to a browser that supports TLS 1.1 or 1.2. If you’re having trouble, please contact your browser manufacturer.

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top