99 second hand smartphones are transported in a handcart to generate virtual traffic jam in Google Maps. Through this activity, it is possible to turn a green street red which has an impact in the physical world by navigating cars on another route to avoid being stuck in traffic.
The clearfix, for those unaware, is a CSS hack that solves a persistent bug that occurs when two floated elements are stacked next to each other. When elements are aligned this way, the parent container ends up with a height of 0, and it can easily wreak havoc on a layout. The clearfix was invented to solve all that.
But to understand the clearfix, you have to go back even further, to the 2004 and a particular technique called the Holly hack.
I had some nostalgic flashbacks whilst reading this 🙂
Make a request to evil-script, using a Content-Range header to suggest there’s more data to be loaded afterwards.
Have evil-script return a valid WAV PCM header block, but also have it return a Redirect response header to the cross-origin (!) location you want to read out.
Since a Content-Range header was used, the browser will make a second request to fetch the rest of the data.
A browser susceptible to this exploit will actually make the request to the remote location defined in the Redirect header.
Good browsers will stop here, throwing a CORS error.
Store the returned data in an <audio> element.
Play back the audio fragment, and meanwhile read out its data using a ScriptProcessorNode.
Not all browsers were affected by this bug: in Firefox you could only get the length of the returned content, and it was only in Edge that Jake was able to read out the actual contents of the generated wav file. Here’s a video of Edge (warning: as it’s raw data you’ll only hear glitches and stuff … you might want to turn down the volume):
Nice find Jake!
A shame the process of reporting this bug with the Edge team didn’t go that smooth though (details in Jake’s post). I’m confident the Edge team will adjust / already have adjusted a few things internally to prevent this obstacle course from happening again.
Ruslan Habalov and Dario Weißer found a way to read contents from an iframe, using CSS3:
Accessing the DOM of an iframe that includes a cross-origin resource is forbidden by default. However, the content of the iframe was displayed in the same context as the rest of the site so we wanted to verify if there is side-channel potential that might allow us to leak state information through the interaction of browser features with the iframed content. With this in mind, we went ahead and tested various CSS features like transparency, rotation and mix-blend-mode on top of the cross-origin iframe.
By doing so, we discovered a bug that allowed side-channel attacking the CSS feature mix-blend-mode.
The bug was disclosed properly and has already been fixed.
Recently James Fisher received an email from Netflix asking him to update his credit card information.
“Odd,” I thought, “but OK, I’ll check.” The email is genuinely from netflix.com, so I clicked the link. It logged me in and took me to an “Update your credit or debit card” page, which is genuinely hosted on netflix.com. No phishing here. But hang on, the “Update” page showed my declined card as **** 2745. A card number I don’t recognize. Checking my records, I’ve never seen this card number. What’s going on?
I finally realized that this email is to [email protected]. I normally use [email protected], with no dots. You might think this email should have bounced, but instead it reached my inbox, because “dots don’t matter in Gmail addresses”
Whenever you’re implementing email addresses in your code, also beware for plussing when handling them. Additionally James also offers a nice idea, in which Gmail could prevent lots of these scams.
UPDATE 2017.11.29: Apple has released a security update, fixing this nasty bug. Open AppStore.app and check the updates section to download it. No reboot required.
As Mattias detailed a root with no pass gets created upon testing this. Awaiting a security patch from apple you can lock this user down by explicitly setting a password for its account (using Terminal.app):