All Your Screens Are Belong to Us: Attacks Exploiting the HTML5 Screen Sharing API

HTML5 changes many aspects in the browser world by introducing numerous new concepts, in particular, the new HTML5 screen sharing API impacts the security implications of browsers tremendously. One of the core assumptions on which browser security is built is that there is no cross-origin feedback loop from the client to the server. However, the screen sharing API allows creating a cross-origin feedback loop. Consequently, websites will potentially be able to see all visible content from the user's screen, irrespective of its origin. This cross-origin feedback loop, when combined with human vision limitations, can introduce new vulnerabilities. An attacker can capture sensitive information from victim's screen using the new API without the consensus of the victim. We investigate the security implications of the screen sharing API and discuss how existing defenses against traditional web attacks fail during screen sharing. We show that several attacks are possible with the help of the screen sharing API: cross-site request forgery, history sniffing, and information stealing. We discuss how popular websites such as Amazon and Wells Fargo can be attacked using this API and demonstrate the consequences of the attacks such as economic losses, compromised account and information disclosure. The objective of this paper is to present the attacks using the screen sharing API, analyze the fundamental cause and motivate potential defenses to design a more secure screen sharing API.

[1]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[2]  Lukasz Olejnik,et al.  Web Browser History Detection as a Real-World Privacy Threat , 2010, ESORICS.

[3]  Dan Boneh,et al.  Busting frame busting a study of clickjacking vulnerabilities on popular sites , 2010 .

[4]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[5]  Ajinkya Pawar,et al.  Secure Authentication using Anti-Screenshot Virtual Keyboard , 2011 .

[6]  Paul C. van Oorschot,et al.  SOMA: mutual approval for included content in web pages , 2008, CCS.

[7]  P. Saxena,et al.  The Emperor ’ s New APIs : On the ( In ) Secure Usage of New Client-side Primitives , 2010 .

[8]  Sorin Lerner,et al.  An empirical study of privacy-violating information flows in JavaScript web applications , 2010, CCS '10.

[9]  Steven D. Gribble,et al.  A safety-oriented platform for Web applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[10]  Eric Yawei Chen,et al.  App isolation: get the security of multiple browsers with just one , 2011, CCS '11.

[11]  Markus Jakobsson,et al.  Invasive browser sniffing and countermeasures , 2006, WWW '06.

[12]  Sid Stamm,et al.  Reining in the web with content security policy , 2010, WWW '10.

[13]  Dawn Xiaodong Song,et al.  A Systematic Analysis of XSS Sanitization in Web Application Frameworks , 2011, ESORICS.

[14]  Volker Roth,et al.  A PIN-entry method resilient against shoulder surfing , 2004, CCS '04.

[15]  Dan Boneh,et al.  Protecting browser state from web privacy attacks , 2006, WWW '06.

[16]  Benjamin Livshits,et al.  SCRIPTGARD: Preventing Script Injection Attacks in Legacy Web Applications with Automatic Sanitization , 2010 .

[17]  Jörg Schwenk,et al.  Scriptless attacks: stealing the pie without touching the sill , 2012, CCS.

[18]  Ninghui Li,et al.  Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection , 2009, Financial Cryptography.