Safari same origin hole

Background

Whilst investigating same origin javascript policy with Ronald from 0x000000.com/, I found another vulerability in Safari 3.02 beta on windows, it could also work on OS X but I haven’t tested it. Normally I would have reported this to Apple before releasing the details however the last time I found a problem with Safari Apple only seemed to respond and fix the problem when it went public. They even told me they don’t normally accept vulnerability reports unless you are registered as an Apple developer!

Overview

Same origin policy works by checking the domain names of communicating windows or iframes and document.domain a javascript property of the document object allows or denies this. The problem is that IE6, IE7 and Safari allow you to overwrite the document object with your own, at the moment it appears only Safari beta is vulnerable to this attack but I am pretty sure in the future another attack will be available for IE6 and IE7.

Proof of concept

The POC connects to Amazon through an iframe then overwrites the document object and stores a reference to the getElementById dom function. The document object is then manipulated with the Amazon domain but would work with any domain. Then the script displays your name from the Amazon page (if available) and then shows your cookies gathered from that domain.

Currently only tested on Safari beta 3.02 on windows through file:// not http://

Safari POC

Recommendation

I strongly recommend that you use Firefox instead of IE6, IE7 or Safari as that is the only browser which denies access to overwriting the document object.

Firefox