Critical Unity Web Player Vulnerability Affect Millions of Users
A major vulnerability in Unity Web Player has been discovered by the cyber security researcher Jouko Pynnönen, allowing hackers to access websites using credentials of a target, thus giving an ability to read files and data on victims hard drive and read private messages on Facebook and Gmail.
Unity Web Player vulnerability allows an altered Unity application to avoid standard cross-domain policies while a target views an page running a malicious application. This is done using specially formatted URL in an HTTP redirection.
According to Jouko Pynnönen
“A malicious app loaded from ‘http://x:[email protected]’ could access an URL from e.g. ‘http://x:[email protected]/redirector’ which could return a HTTP redirect status code (301, 302, 307) and a Location: header pointing at ‘http://x:[email protected]/’. The redirect should be denied because it points to a different domain. However, Unity Web Player allows the redirect because it erroneously bases its evaluation on the user:password part of the URL which is identical in both URLs (“x:y”).”
According to Unity developers more than 500 million users are using Unity Web Player on Macs, PCs, mobile devices and gaming consoles.
Cyber security researcher has provided a video explaining Unity Web Player vulnerability as a proof-of-concept:
The screencap below shows Firefox’s Network Monitor when running our demo exploit. After the application is loaded and the plugin has checked for updates, it accesses an URL on the “attacker site” and gets a 301 redirection to mail.google.com. The browser loads the target user’s email list (about 12 kB) and posts it back to the attacker. The demo exploit then parses the list and proceeds to download individual email messages.
“The browser loads the target user’s email list (about 12 kB) and posts it back to the attacker. The demo exploit then parses the list and proceeds to download individual email messages.”
Pynnönen said he made several attempts to contact Unity Technologies by email and the company’s web contact form back in December of 2014, as well as submitting two bug reports through the company’s portal in February and April of 2015, but received no response until June 3rd.
“According to their email, the QA team has picked up the bug reports today and an improved security response procedure is in the works,” Pynnönen noted.