It’s 2020, and numerous browsers still allow drive-by-downloads from what is meant to be secure contexts such as sandboxed iframes.
For those unfamiliar with the term, a drive-by-download is when a user visits a site, and a file download is initiated without the user’s interaction.
This technique can be used to distribute unwanted software and malicious programs in the hopes that users will accidentally or mistakenly execute the downloads and get infected.
New research from ad security firm Confiant shows that secure contexts such as sandboxed iframes can be abused to allow drive-by-downloads when visiting a website.
As most advertisements are displayed on a web page via iframes, malicious advertisers can use them to deliver unwanted applications that infect your computer.
Investigating an attack
In January 2020, visitors to the Boing Boing site began seeing fake Google Play Protect overlay that prompted users to download a malicious APK that installed the Anubis banking Trojan on Android devices.
For Windows users, it would instead display a fake Adobe Flash installation page that was distributing other malicious programs.
Originally thought to be a malvertising campaign, it was later discovered that Boing Boing’s CMS was hacked, and a script was injected that displayed these overlays to visitors.
After investigating this attack, Confiant researcher Eliya Stein noticed that the drive-by-downloads were being initiated by the JavaScript embedded into the page.
This script would create a link on the page and click this link, without any prompt from the user, to initiate the download.
While it turned out that this attack was not malvertising, Stein wondered if a similar attack could be initiated via malvertising using sandboxed iframes.
Testing sandboxed cross-origin iframes
As previously stated, most advertisements use sandboxed iframes to embed the ad on a web page.
As the advertisements are under a third-party’s control, these iframes are commonly used with the sandboxed argument to increase security and restrict what actions the third-party page can perform.
To see if the same script described above would cause a drive-by-download of an APK in sandboxed cross-origin iframes, which is an iframe loaded from a different hostname, Stein created a proof-of-concept page to test various browsers.
When creating this sandboxed iframe, Stein used the following restrictions that are commonly used by advertisements.
allow-forms allow-pointer-lock allow-popups-to-escape-sandbox allow-popups
allow-same-origin allow-scripts allow-top-navigation-by-user-activation
Let’s start with the good news.
With the release of Chrome 83, downloads are blocked in sandboxed cross-origin iframes, and the drive-by-download technique did not work. To allow downloads, a developer has to add ‘allow-downloads’ to the sandbox value.
Microsoft Edge, which is based on Chrome 83, also includes this new feature and blocks the drive-by-download.
Unfortunately, this is where it went downhill.
Mozilla Firefox does not prevent downloads in cross-origin iframes, and the user was prompted to download the file.
The privacy and security focused browser, Brave, also failed to block the drive-by-download.
Safari’s behavior was strange as it would attempt to download the APK file but ultimately never complete it.
Mobile browsers were inconsistent in Stein’s tests.
Android browsers would prompt you to download the file, but would warn that the APK file is dangerous.
Other mobile browsers would not download the file at all.