Ben Broussard of Denim Group presented at OWASP Austin on 9/30 and highlighted a really interesting new kind of attack – Account Entrapment.
What is Account Entrapment?
Counter-intuitive at first glance, it’s not about an attacker gaining access to the victim account. It’s the opposite. It is the attacker being able to log the victim into his account without the victim knowing it. It’s done for the attacker’s gain, obviously.
3 Ways the Attacker Gains with Account Entrapment
Tell Me Your Secrets
It can get the victim to put their information into the attacker’s account. Use cases include credit card information, tax preparation and things like Dropbox. You are tricked into thinking you are working with your own account, but it is in fact the attacker’s.
Do My Homework
It can get the victim to do work for the attacker. Use cases include online poker tournaments, online homework, online bill pay, contests and sites like Fiverr.com. When the victim believes they are working under their own credentials, but are working under the attacker’s, the attacker can make them “do my homework.”
I Was Framed!
It can frame the victim by making it look like the victim has hacked the attacker – making it possible for them to frame the victim for hacking. This strategy could work for getting a boss or co-worker fired and other manipulation.
With repudiation like this, an attacker could also buy and sell stocks online - then if he loses money, he can claim it was the victim actually making the trades, since the victim has been active in his account.
How Does Account Entrapment Work with Cookie Abuse?
Cookie- based attacks involve leveraging the fact that cookies can be used across sister-domains. Due to looser Same-Origin Policy restrictions on cookies, the attack can actually originate from a sister domain. For example, myaccount.bank.com from marketing.bank.com.
The attacker finds a less-sensitive sister domain, like a marketing domain with an XSS or header injection vulnerability as a way to hit his target. Then the attacker tricks the victim to go to the sister site via phishing. The vulnerable sister domain then stores a logged-in session cookie to the victim’s browser. Then when the victim goes to the target site, say myaccount.bank.com, they’re actually in the attacker’s account. Now, they might notice on Facebook, but would they on Amazon.com? And if the path is set to a specific area, the victim may log into their own account and not notice the transition to the attacker’s account.
How to Defend Against Account Entrapment via Cookie Abuse
The sad truth is that the only defense is to remove XSS and header injection vulnerabilities everywhere in your web applications.
Ben also described some suboptimal defenses such as using different domains, not subdomains, for your critical web applications. You can also use referrer checking on every page, which will enforce the process of going to the login page first. This will stop attackers from forwarding victims to a logged-in page. However, as Ben pointed out, it also breaks stuff and can lead to user dissatisfaction.
Ben also suggested that web application developers also protect critical actions (like accessing money) by requiring the user to submit their password along with the request. This request under the attacker’s account would then fail. It’s pesky for users, however.
Another suboptimal remedy would be to make it very obvious to the user which account he is logged into – putting everything under one path/URL and tracking navigation through the query string.
Why is this happening?!?
So, what usually enables all of this nastiness to happen? For one thing, phishing, where the user voluntarily clicks on a link that downloads malware The typical attack vector is the victim clicking a link that forces the browser to take actions or phishing. Another attack vector involves the clever attacker search-engine-optimizing the malicious site to draw victims in.
Ben also discussed Account Entrapment with Login Cross Site Request Forgery (CSRF), which is a blog for another day!
For more information on Account Entrapment, check out Ben’s slides.
All of this highlights the need for businesses to monitor their networks and systems on an ongoing basis, both for the vulnerabilities Ben discussed, and also for activity indicative of an attack.