Rosario Valotta (Tentacolo Viola)

PRESENTATION TITLE:  Abusing Browser User Interfaces for Fun and Profit

PRESENTATION ABSTRACT:

As social engineering has become the dominant method of malware distribution, browsers makers started to design more robust and recognizable UIs in order to help users in making aware choices while surfing the web. In this process, creating trusted UIs notification mechanisms played a crucial role: today any modern browser is able to identify potentially dangerous/sensitive actions requested by a webpage (file downloading, plugin installation, grant privileges to websites) and prompt a dialog or a notification bar in order to require explicit confirmation from the user.

Even though these improvements led to a greater degree of assurance, the notification mechanisms are far from being 100% safe: in this presentation I will show how notification bars in major browsers (Chrome 24, IE9, IE10) can be abused with a little (or no) social engineering, leading to a compromise of a users security and even obtain code execution on the victim’s machine.

ABOUT ROSARIO VALOTTA

Rosario Valotta is an IT security professional with over 12 years experience. He has been actively finding vulnerabilities and exploits since 2007 and has released a bunch of advisories and new attack techniques including:

- Nduja Fuzzer (presented at DeepSec 2012): an innovative fuzzer levaraging on DOM Level 2 and 3 APIs that proved to be effective in discovering several 0-day in major browsers
- Cookiejacking, a new attack technique to steal any cookie on Internet Explorer (presented at HITB 2011 AMS and Swiss Cyber Storm 2011)
- Nduja connection, the first cross webmail XSS worm
- Memova exploit, affecting over 40 millions users worldwide
- Outlook web access for Exchange CSRF vulnerability
- Information gathering through Windows Media Player vulnerabilities

The complete list is on the blog: http://sites.google.com/site/tentacoloviola/