It's based on techniques similar to Jeremiah Grossman's original GMail contact-list hack. (The Subverting Ajax paper by Stefano Di Paola and Giorgio Fedon also uses prototype hijacking, but has some seemingly exotic prerequisites like "a forward proxy and browser vulnerable to HTTP Response Splitting/Smuggling." See Grossman's deconstruction of the paper here.)
The vulnerability described in this new paper (and indeed many of the security issues with Ajax) comes from a confluence of three things:
- JSON: It's not just a data format, it can also be executable code.
(And for the people who are still hyperventillating over the prospect of being hakz0r3d in horrible ways by their Ajaxy Web UIs, I would also suggest giving Grossman's "Myth-Busting AJAX (In)security" article a read.)
As a side note, if you're interesting in playing around with this vulnerability, the authors of the paper used the deprecated
setter syntax for the code that does the actual dirty work of filching the private data in the example. A better way to do it is with the