It’s 2020, and numerous browsers still allow drive-by-downloads from what is meant to be secure contexts such as sandboxed iframes.

For those unfamiliar with the term, a drive-by-download is when a user visits a site, and a file download is initiated without the user’s interaction.

This technique can be used to distribute unwanted software and malicious programs in the hopes that users will accidentally or mistakenly execute the downloads and get infected.

New research from ad security firm Confiant shows that secure contexts such as sandboxed iframes can be abused to allow drive-by-downloads when visiting a website.

As most advertisements are displayed on a web page via iframes, malicious advertisers can use them to deliver unwanted applications that infect your computer.

Investigating an attack

In January 2020, visitors to the Boing Boing site began seeing fake Google Play Protect overlay that prompted users to download a malicious APK that installed the Anubis banking Trojan on Android devices.

Fake Google Play overlay
Fake Google Play overlay
Overlay instruction
Overlay instruction

For Windows users, it would instead display a fake Adobe Flash installation page that was distributing other malicious programs.

Fake overlay for Windows users
Fake overlay for Windows users

Originally thought to be a malvertising campaign, it was later discovered that Boing Boing’s CMS was hacked, and a script was injected that displayed these overlays to visitors.

After investigating this attack, Confiant researcher Eliya Stein noticed that the drive-by-downloads were being initiated by the JavaScript embedded into the page.

This script would create a link on the page and click this link, without any prompt from the user, to initiate the download.

Drive-by-download script
Drive-by-download script

While it turned out that this attack was not malvertising, Stein wondered if a similar attack could be initiated via malvertising using sandboxed iframes.

Testing sandboxed cross-origin iframes

As previously stated, most advertisements use sandboxed iframes to embed the ad on a web page.

As the advertisements are under a third-party’s control, these iframes are commonly used with the sandboxed argument to increase security and restrict what actions the third-party page can perform.

To see if the same script described above would cause a drive-by-download of an APK in sandboxed cross-origin iframes, which is an iframe loaded from a different hostname, Stein created a proof-of-concept page to test various browsers.

Drive-by-download proof of concept
Drive-by-download proof of concept

When creating this sandboxed iframe, Stein used the following restrictions that are commonly used by advertisements.

allow-forms allow-pointer-lock allow-popups-to-escape-sandbox allow-popups 

allow-same-origin allow-scripts allow-top-navigation-by-user-activation

Let’s start with the good news.

With the release of Chrome 83, downloads are blocked in sandboxed cross-origin iframes, and the drive-by-download technique did not work. To allow downloads, a developer has to add ‘allow-downloads’ to the sandbox value.

Chrome test blocked the download
Chrome test blocked the download

Microsoft Edge, which is based on Chrome 83, also includes this new feature and blocks the drive-by-download.

Unfortunately, this is where it went downhill.

Mozilla Firefox does not prevent downloads in cross-origin iframes, and the user was prompted to download the file.

Firefox allows the download
Firefox allows the download

The privacy and security focused browser, Brave, also failed to block the drive-by-download.

Brave Browser allows the download
Brave Browser allows the download

Safari’s behavior was strange as it would attempt to download the APK file but ultimately never complete it.

Safari starts the download but never completes
Safari starts the download but never completes

Mobile browsers were inconsistent in Stein’s tests.

Android browsers would prompt you to download the file, but would warn that the APK file is dangerous.

Other mobile browsers would not download the file at all.

By Enrico

My greatest passion is technology. I am interested in multiple fields and I have a lot of experience in software design and development. I started professional development when I was 6 years. Today I am a strong full-stack .NET developer (C#, Xamarin, Azure)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.