Ten of the sites were among the top 1,000 most visited websites of the year, including Weebly.com, CNET.com, and McKinsey.com.
“Only recently have researchers started looking closely at prototype pollution and realizing it’s a matter of great concern,” said cybersecurity expert Yinzhi Cao, an assistant professor of computer science in the Johns Hopkins Whiting School of Engineering. “Many in the developer community may not be aware that prototype pollution vulnerabilities can have severe consequences.”
He and his team set out to the study this snowball effect using dynamic taint analysis, a method in which inputs to the application are labeled with a special “tainted” marker and the researchers observe how the tainted data propagates through the program. If the marker is still there at the program’s output, the researchers know that the application is vulnerable to exploitable input attacks that could lead to some unplanned action.
“Imagine a very long pipe in a big black box and I want to know whether Points A and B are connected. If they are, I can put some toxic liquid at Point A to attack Point B. What we do is to drop a bit of red dye in the water at Point A and then observe the water color at Point B. If I can see Point B is also red, I know A and B are connected and then we can launch attacks,” Cao said.
The researchers identified three major input attacks that can be caused by prototype pollution: cross-site scripting (XSS), cookie manipulation, and URL manipulation. Such vulnerabilities on public websites provide ample opportunities for cyber criminals to hijack passwords and install malware, among other nefarious activities.
Cao says that researchers have a responsibility to report prototype pollution vulnerabilities to website owners and even recommend the best patch for their code. Thanks to Cao’s team sounding the alarm, so far 293 vulnerabilities have already been ﬁxed by developers.
“Organizations don’t even know these vulnerabilities exist. Our ProbeTheProto tool can automatically and accurately detect a wide range of potential attacks. And we’ve found that many developers are happy that we are helping them stay ahead of cybersecurity threats,” Cao said.
Computer science graduate students Zifeng Kang and Song Li contributed to the research. The team members will present their paper “Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites,” at the Network & Distributed System Security Symposium, April 24-28 in San Diego.