Summary
Websites can predict links used in certificate warnings, Safe Money prompts, anti-phishing warnings and similar pages. This allows them to initiate actions without the user’s knowledge.
Description
The links used to override certificate warnings have the following format: https://<host>/?<link_id>_kis_cup_<GUID>_
. Here, GUID
is identical for all certificate warnings and link_id
is a value that is being counted up continuously. So if a website can get hold of one such link, it can predict what future links will look like. This allows triggering actions on behalf of the user, e.g. overriding the wrong certificate for another website. Similarly, websites can permanently disable Safe Money protection for a banking website, the prompt there uses the same link format and the same link_id
counter. And while an anti-phishing warning is overridden with http://touch.kaspersky.com/kis_cup_<GUID>_<link_id>
it’s once again the same values, so triggering this action automatically is possible as well.
The easiest way for a website to get hold of a valid link appears to be downloading its own certificate warning. Since certificate warnings are first-party as far as the website is concerned, it has complete access to them. The server needs to serve a valid certificate first so that the website can load, then switch to an invalid certificate so that any request will result in a certificate warning page from Kaspersky. The website can then download this warning page and read out the links from it.
Environment
Steps to reproduce
Multiple steps to reproduce here to demonstrate various attacks possible, all tested in Firefox 64. First overriding a certificate:
rebinding_server.py
and certerror_override.html
to some directory on your computer and run rebinding_server.py
(Python 3 required). This will run an HTTPS server on https://localhost:5000/, with an additional server on http://localhost:5001/ that will make the primary server alternate between the first (supposedly valid) and second (invalid) SSL certificate.Now disabling Safe Money functionality:
rebinding_server.py
and disable_safemoney.html
to some directory on your computer and run rebinding_server.py
(Python 3 required). This will run an HTTPS server on https://localhost:5000/, with an additional server on http://localhost:5001/ that will make the primary server alternate between the first (supposedly valid) and second (invalid) SSL certificate.And overriding anti-phishing prompts:
rebinding_server.py
and phishing_override.html
to some directory on your computer and run rebinding_server.py
(Python 3 required). This will run an HTTPS server on https://localhost:5000/, with an additional server on http://localhost:5001/ that will make the primary server alternate between the first (supposedly valid) and second (invalid) SSL certificate.Recommendations
Warning pages should not be first-party to the pages affected by them. Instead of directly serving HTML content within a 499 response, Kaspersky could produce a redirect to kis.v2.scr.kaspersky-labs.com here and produce the content under that location. This would prevent websites from accessing contents of such warning pages.
Even then, links triggering such important actions shouldn’t be predictable. This is most easily achieved by using a real cryptographic signature such as HMAC-SHA256. A link like http://touch.kaspersky.com/?id=<link_id>&host=<host>&signature=<HMAC-SHA256(secret, link_id || host)>
cannot be manipulated without knowing the user-specific secret which will hopefully never be exposed to the web.
Attackers able to MiTM user’s internet connection (e.g. on a public WiFi) will be able to trick the user into unwittingly confirming a certificate override for high profile websites such as Google, thus essentially disabling MiTM protection offered by SSL.
Also, arbitrary websites will be able to disable Safe Money or anti-phishing protection for any website without any user interaction. Other Kaspersky Internet Security functionality might be similarly affected.