Written by
noncetonic
13 Dec 2017
Foreword
I’ve had a PoC for this technique for a little while as part of research for a future talk on the subject of post-exploitation in MacOS, but as an article has surfaced detailing the adware OSX.Pirrit’s use of this technique, I thought it appropriate to disclose this writeup. It should be noted that while this particular PoC targets only Google Chrome, the attack works against Safari as well. Mozilla Firefox is exempt from this specific attack as they do not expose a similar scripting definition to AppleScript.
Wouldn’t it be nice to inject arbitrary Javascript into a user’s browser regardless of XSS detection, website, or hoping a user is foolish enough to visit a BeEF link?
Sniffing credentials right out of form submissions, disregarding 2FA by leveraging a victim’s already active tab, redressing/overlay attacks and much more are possible with this technique, and all done with no specialized tools.
Join me as I rush to release this post before everyone writes detection around this surprisingly well documented feature of Chrome/Safari on MacOS and create a mostly harmless inject which sneakily scrapes a Gmail tab for Email, Sender name, and Subject informatino leveraging Applescript as an In-Memory Javascript Injector
Has anyone really ever been as far as to do want inject javascript?
The PoC
You probably don’t care about the how and just want a pre-packed PoC ready to be used for rickrolling your friends so here it is:
Full Chrome Gmail Javascript Injection AppleScript
Non-Minified Javascript payload
Minimized OSAScript oneliner
Minified Javascript payload (keeps size of Applescript payload/oneliner small)
How the whut?
Put simply, AppleScript is boss and very few built-in scripting languages on other Operating Systems come close to the amount of power that given to end-users and developers. Intended primarily to be used for automation, AppleScript has the potential to open the door to a lot of fun for system administrators and hackers alike.
Applications with dedicated integrations with AppleScript contain an .sdef file which outlines the _S_cripting _Def_initions available to AppleScript. Poking around a bit on my system I noticed that Chrome and Safari had .sdef files.
Here’s a link to Chrome’s for those who want to follow along
For a little more fun Here is an example provided by Google themselves on executing Javascript in the browser
Writing a little bit of AppleScript to take advantage of this feature and leveraging a Javascript minimizer to keep the size of the payload small results in a really fun little browser hijack technique.
What’s it do?
While a primer on AppleScript is outside the scope of this post, a quick breakdown of the code is provided as comments in the provided code to aid the reader.
RTFM
Closing
While I’m sad that I wasn’t the first one to weaponize this technique publicly I hope that this public release of a fairly harmless PoC will spark discussion around writing more creative payloads and help excite malware authors and security researchers to take more time to look at MacOS and develop more post-exploitation techniques.
I leave implementation of this PoC in Safari as an exercise for the reader.
RIP Trevor; another fun bug squashed in public.
Written by
noncetonic
17 Jul 2017
Foreword
Cultivating an online persona in the modern era of the internet can be difficult without giving up too much of your own personal information due to the rise of spammers leveraging bots to generate bulk accounts. This leaves the anonymity minded individual with very few options for anonymously registering an account with many services short of paying for services such as recyclable SMS numbers, buying bulk accounts from Phone Verified Account (PVA) shops, or buying SIM cards for one-time use.
Additionally, services are beginning to prompt users to provide photographic proof of their identity making burner SIM cards and other anonymous SMS verification methods only one part of the problem.
The “Cultivating An Online Persona” series will discuss various methods for obtaining access to popular online services while maintaining a user’s anonymity as well as provide readers with an insight into methodologies which can be employed against other services.
Email Addresses Are Important
In a world where your email address is as good as your state ID and act as your gateway to registering for other services, the first step towards cultivating an online persona hinges upon your ability to create an email address which has as little ties to your true identity as possible.
Because of the importance of email addresses, this post will focus on creating a Gmail account while bypassing phone verification.
Bypassing Gmail’s Phone Verification
Why Gmail?
Many readers may wonder why one would even bother attempting to register a Gmail account when there are other services such as ProtonMail which allow users to register for accounts with no personal information. In the opinion of others, myself included, registering for an email account on services such as this inherently gets your persona grouped into a subset of “non-standard” internet denizens. Additionally, due to the popularity of Gmail the chances of a Gmail hosted email address being banned from use for signup or being used as a trigger for secondary anti-spam/anti-bot verification (SABV) is substantially lower.
The Theory
There have been many free bypasses for Gmail phone verification throughout the years including things such as signing up from third-world countries where mobile phones are less common to leveraging mobile phone emulator software such as BlueStacks. While these techniques worked in the past the success rate has dropped substantially causing many to abandon them as viable.
Note: Using mobile phone emulators is an extremely effective way of sneaking by SABV on services primarily accessed via mobile applications such as Instagram.
One technique which has been used successfully is a very simple one in nature is to register for a Gmail account using the youngest age allowable by Google’s adherence to the Children’s Online Privacy Protection Act of 1998.
According to Google’s age requirement policy, in countries outside of South Korea, Spain, and the Netherlands, registrants must be at least 13 years old to create a Google account. As 13 year olds are not expected to have their own mobile phone for phone verification, providing a secondary email for recovery purposes is enough to bypass phone verification. The sweet spot I’ve found for age range is between 13 and 15 in countries where 13 is the minimum age requirement.
The Plan
In order to create our Gmail account we need to satisfy a few requirements:
- Birth year that puts you between 13 and 15 years old.
- Email account used to satisfy recovery options
These requirements are easily satisfied and will be discussed before the actual creation of the Gmail account.
Becoming A Teenager
A great resource for all your online persona needs is FakeNameGenerator. Leveraging FakeNameGenerator it’s as easy as clicking the provided link below to generate a birthdate that puts you within our defined age range. All the fun of being a teen again without all the angst and weird body changes!
Generate A Teenage Birthday
Getting A Recovery Email
There are a lot of places providing email addresses with little to no verification required from a user and a Google search will turn up enough results if you can’t think of one. For the purposes of this post we will use Mail.com. This link will send you straight to their sign-up page. It’s recommended to get your recovery email address to match your desired Gmail address as closely as possible. This isn’t a requirement but it doesn’t hurt in the off chance your registration is checked by an account review process.
Note: As this is the email address that will be used to regain access to your Gmail in case of lockout it is advised to use a unique, strong password if you have reason to believe your account would be targeted for takeover by a third-party.
Registering With Gmail
And now the section you’ve been waiting for.
- Visit the Google Signup Page
- Fill out the signup form. Personally I just copy paste the information generated by FakeNameGenerator.
- Ensure your Birthday puts you in the appropriate 13-15 year age range.
- Leave the Mobile phone field blank.
- Provide your recovery email in the Your current email address field.
- Click Next step.
- Confirm your recovery email by clicking the link provided by Google that will be sent to your provided recovery email address.
- Enjoy your new Gmail account.
Note: While using Tor will almost instantly get you flagged, attempting to create multiple Gmail accounts in this way using the same IP address and without clearing your browsing session will often result in the registration getting flagged by SABV and causing you to get the phone verification prompt.
Closing
Now that you’ve got your own real-life verified Gmail account the world is your oyster. The next article in this series will cover some of the services you can use your fake persona with to start creating a believable online identity.