Monday, June 20, 2011

Phishing Web-Based Email Services with HTML5

Abstract: This paper presents a novel approach to phishing using the programmable session history stack introduced in HTML 5. The technique is implemented and tested against a sample of 100 Gmail users and 100 Yahoo Mail users. In this preliminary testing the technique has shown to be effective against approximately 9.5% of recipients.

As the internet is becoming more ubiquitous and browsers are becoming more powerful, more and more people are moving away from traditional native applications and are doing most of their computing in the web browser.  Google recently released its CR-48 Chrome notebook, a laptop whose only operating system is the browser itself and which has no native applications.

Web-based email applications are also increasing in popularity.  Many are moving away from applications, such as Microsoft Outlook and towards web services such as Google's Gmail, Microsoft's Hotmail, and Yahoo's Mail.  Most websites utilize email as a means of identity control, allowing users to reset their passwords by clicking on a reset link that is sent to them in email.  This makes access to a user's email address desirable for hackers and identity thieves.

HTML 5 is the latest standard (in progress) for the markup language most commonly used for building content on the web.  HTML 5 introduces many powerful new features, which allows developers to build more powerful and useful web-based applications.  One of the new features in HTML 5 is the addition of a History Interface, which allows programmatic manipulation of the session navigation history.

In this paper I present a new phishing technique, which uses the HTML 5 History Interface to trick users into giving an attacker their email credentials.  Users will receive a link in their email to a harmless looking website.  When the website loads, a fake entry will be added to the session history.  If the user clicks the "Back" button in the browser they will be given a fake version of their web-based email application asking them to re-enter their password.  This attack will take advantage of the fact that, since the link was sent to a web-based email service, the attacker can guess what the previous page looks like.  It also takes advantage of the fact that users may implicitly trust a website that appears to be the page the navigated from, after clicking the back button.

The full paper can be found here.

Keywords: phishing yahoo mail, phishing gmail, html5, html 5 history interface