By 2020, many browsers still allow drive-by-downloads from secure environments, such as iframes with sandbox. For those unfamiliar with drive-by-download, it describes a user's visit to a site and the subsequent download of a file without user interaction. This technique can be used to distribute unwanted software and malware in the "hope" that users will accidentally or accidentally download and become infected.
New research from Confiant advertising security company shows that secure environments, such as sandbox iframes, can be abused to allow drive-by-downloads when visiting a site. As most ads appear on a website via iframe, malicious advertisers can use them to deliver unwanted applications that infect users' computers.
While it turned out that this attack was not malicious advertising, Stein wondered if a similar attack could be started through malicious advertising using sandbox iframes. As mentioned earlier, most ads use iframes with sandbox to integrate advertising on a website. As ads are controlled by a third party, these iframees are usually used with the sandbox argument to increase security and limit the actions that a third party page can perform. To find out if the same scenario described above would cause an APK to be downloaded to multi-source sandbox iframes, which is an iframe loaded with a different central computer name, Stein created an experimental page to try different browsers. When creating this sandbox iframe, Stein used the following restrictions commonly used by ads: allow-forms allow-pointer-lock allow-popups-to-escape-sandbox allow-popups allow-same-origin allow-scripts allow-top-navigation-by-user-activation.
The good news is that with its release Chrome 83, downloads are excluded in multi-source iframes with sandbox and so the drive-by-download technique did not work. To allow downloads, a developer must add "allow-downloads" to the sandbox price. Microsoft Edge, which is based on Chrome 83, also includes this new feature and excludes the drive per download. THE Mozilla Firefox does not block downloads in multi-source iframes and was asked by the user to download the file. The Brave Browser, which focuses on privacy and security, has also failed to block drive-by-download. His behavior Safari it was weird as he was trying to download the APK file, but in the end he never finished it. Mobile browsers were inconsistent with Stein's testing. Android browsers would ask users to download the file, with the caveat that the APK file is dangerous. Other mobile browsers do not download the file at all.
Therefore, enabling scripts to start downloading in what is expected to be a secure environment is problematic, as it could allow malware to be distributed through malicious ads. While the Chrome 83 and Microsoft Edge 83 excludes both downloads in iframes with sandbox, Brave and Firefox still allow it. In a Mozilla Firefox error post, Firefox developers have already completed the code to block downloads on iframes with sandbox and will add it to the browser soon. Finally, it is not known whether Brave, Safari and the affected mobile browsers will solve the problem in the future.