Who’s guilty ?
Both Firefox and Windows are to blame for.
Firefox simplifies the process of finding the target function PR_Write as it is inside a dll, compromising the security of the web browser.
Windows lets our malicious FormGrabber interfere with the normal Firefox’s workflow without asking any questions. It lets our process execute code within Firefox’s Virtual Address Space and more importantly it lets our malicious process change segments of Firefox code.
How does it work ?
Proof of concept
The proof of concept is open source and can be found here : https://github.com/recastrodiaz/formGrabber/. It includes instructions on how to run it on your machine.
The POC (Proof of Concept) has been successfully tested on Windows XP SP3, Windows 7 32 bits and Windows 7 64 bits with Firefox 11.0 and 12.0. Nevertheless, it has failed to work on at least one Windows 7 64 bits computer.
The following image shows an example of network connections created by Firefox when logging in to a Facebook account. The first line represents the encrypted data sent over a secure tunnel between the web browser and facebook.com (namely HTTPS). The second is a copy of the first but sent in plain text to localhost/postDemo.php. It contains the User’s email and password : “myMail@mail.com” and “guessMe”.
Facebook HTTPS has been compromised. Users's Email and password are sent in clear text to localhots/postDemo.php
Almost every sensitive information, such as passwords, login credentials, bank account numbers, credit card numbers, etc, is sent from your web browser when you fill an online “form” to a secure remote sever trough the web standard HTTPS POST.
A form grabber is a malicious code that intercepts POST data coming from web “forms” before the encryption takes place, thus avoiding the added security of the https protocol.
The following series of posts represent the completion of a university research project and a compilation of what has been said at INSA de Lyon the 26 of April 2012. You can find the slides here. I highly encourage you to read these posts while browsing through the presentation.
I am not responsible whatsoever of the use or misuse of the information hereafter. Be wise.
- CASTRO Rodrigo
- COQUET Matthieu
- SAUVAGNAT Xavier