Spook.js: speculative execution resulting in cross-domain browser information leakage

Security Notice: Speculative execution in web browsers resulting in information leakage (Spook.js)

Overview

On , a group of university researchers sent Atlassian white paper describing attacks against Google Chrome’s strict site isolation implementation, a mechanism used by the browser to protect against speculative execution attacks. Though their focus was on Chrome, the researchers noted the strict site isolation implementation is affected in all Chromium-based browsers (e.g. Microsoft Edge, Brave), as well as Mozilla Firefox.

The report includes an attack that allows an attacker to obtain a list of bitbucket.io URLs loaded in a user’s browser tabs by tricking them into loading a malicious web page.

Atlassian has implemented the researchers' suggested mitigation against this attack to protect users with web browsers that use strict site isolation. No other action is required.

Vulnerability Details

Google Chrome uses strict site isolation to put content from different domains in separate address spaces to protect against speculative execution attacks. Domains that share the same effective top-level domain + 1 (eTLD+1) share the same address space. For example, a browser with foo.example.com open in one tab and bar.example.com open in another tab would load the content for each in the same address space since they share the same eTLD+1 (example.com). Conversely, a browser with www.example.com open in one tab and www.example.org open in another tab would load the content for each site in separate address spaces since they do not share an eTLD+1 (example.com versus example.org).

Bitbucket Cloud users can create static websites containing custom HTML and javascript. Each website is created as a subdomain of bitbucket.io. Prior to mitigating this issue, websites owned by different users shared the same eTLD+1, which means the browser could load malicious content from one site (e.g. <attacker>.bitbucket.io) in the same address space as content from another site (e.g. <workspaceId>.bitbucket.io), allowing the malicious site to read content from any other bitbucket.io sites.

Impact

This attack allows an attacker to obtain a list of bitbucket.io sites a user has open in other tabs by creating a static website containing malicious javascript, and tricking the user into loading that website in their browser.

Bitbucket does not set session cookies on any bitbucket.io domains, so no other customer data is at risk.

An attacker could also obtain the contents of the bitbucket.io pages loaded in the user’s other tabs, though this does not result in an information leak because the contents of all Bitbucket Cloud static websites are publicly accessible:

The static website you create with this feature is just like any other website on the Internet — anyone with the URL can visit and view your static website. The underlying Bitbucket repository can be a public or a private repository. This means if your Bitbucket repository is private, users can still visit and view the static website. The same is true if the underlying repository is public.

Mitigation

Atlassian has added bitbucket.io to the Public Suffix List (PSL). Browsers use this information to treat each subdomain of bitbucket.io as a unique eTLD+1, which prevents information leak attacks described in the Vulnerability Details section. No further action is required for users that visit bitbucket.io with browsers that use strict site isolation as described in the section above.

References

0 comments

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events