Conversation

twitter.com/EtTuCarl/statu It's 3 vulnerabilities in Skia, which is a 2D rendering library used by Android, Firefox and Chromium. It's widely used and the context where an attacker could gain code exec varies. For Chromium on Android it's in the Chrome or WebView renderer sandbox.

Quote Tweet

Carl (fan parody)

@EtTuCarl

Feb 14, 2019

@DanielMicay Do you know exactly what part of Android does this (specific to built-in photo app, webview, or something else)? twitter.com/cybersecboardr…

Daniel Micay

@DanielMicay

Feb 14, 2019

There are other Android apps using it along applications on other platforms. There's a detailed post about the issues on the Project Zero blog: googleprojectzero.blogspot.com/2019/02/the-cu Can tell it has diverse apps using it from StackOverflow questions like stackoverflow.com/questions/4229 (C# on iOS).

stackoverflow.com

How to add rect using Skia Sharp and apply both fill color and stroke color to that object?

How to add rect or any shape using Skia Sharp and apply both fill color and stroke color to that object in iOS

Replying to

Skia sounds as awful as something I'd expect out of Google...

Replying to

They made it because Cairo has terrible performance and varying output across platforms. I'd expect that Cairo has bigger security problems too, but doesn't get nearly as much attention because it's not exposed in two of the major browsers as the 2D canvas implementation.

Replying to

Why is this kind of functionality even exposed at all except opt-in?! (Obvious answer: Google wants it for adtech fingerprinting.)

Replying to

and

If sites want to rasterize shit themselves in my browser, they can ship a rasterizer in portable js that runs in the sandbox like everything else.

Replying to

Font handling is also a large attack surface since font rendering is extremely complex and browsers expose it to untrusted input by supporting fonts provided by the site. CSS is super complex by itself and keeps getting more features that need to interact with all the others.

Replying to

Yes, there are other components with similar attack surface but that doesn't justify adding more.

Replying to

Yeah, I'm just saying it's a systemic issue and there's a ton of attack surface that's rapidly growing. They keep adding new features and rarely acknowledge the security implications. Privacy gets taken into account in the specs but the features usually get added regardless.

Replying to

and

They end up identifying some privacy issues with a feature and then add it anyway. The restrictions on a feature to protect privacy are usually optional and browsers only implement a portion of it. At the spec level, they consider suggesting some optional restrictions a solution.

8:33 PM · Feb 14, 2019Twitter Web Client

Replying to

and

This reminds me of imagemagick woes

Replying to

and

in the case of canvas fingerprinting/font fingerprinting, they intentionally use it for recaptcha and ad targeting, so it's definitely a feature for them

AJ Jordan #neveragain

Replying to

and

source? I would be really interested in reading about this.

Show replies