Popular Facebook-endorsed gaming plugin can steal your email
Fri 5 Jun 2015

A hugely popular Windows gaming plug-in that is endorsed by Facebook has a vulnerability that could let attackers steal your emails and Facebook data, and in some cases even read files from the victim’s hard disk.
The affected ‘Unity Engine’ provides a framework for developers to generate cross-platform 3D content. In the PC space it can operate in all NPAPI-enabled browsers (i.e. browsers which permit you to load standard plugins such as Flash and Java).
Finnish researcher Jouko Pynnonen informed the developers of a cross-scripting vulnerability in the Unity Engine in December of last year, and again in February and April of this year. Failing to get any response, he posted the vulnerability this week, later amending it to reflect that the developers, Unity Technologies, had finally responded that their team has picked up the bug reports and an ‘improved security response procedure is in the works’.
Cross-scripting attacks target the rigid cross-domain policies in web servers that prevent information flowing from one site that you visit to another. Normally a specially-crafted xml file [PDF] is needed to remove this protection, but the Unity plug-in has instituted a custom URL protocol that can be exploited to break down the cross-domain wall.
Using this weakness Pynnonen was able to create an exploit with adequate credentials to gain access to a user’s emails by using standard web-redirects in the compromised URL structure (video at end of article).
In the case of Windows-only browser Internet Explorer, Pynnonen was even able to read files off the user’s hard disk.
San Francisco-based Unity Technologies formed an alliance with Facebook in 2013, receiving endorsement and an API framework, collectively called the ‘Facebook Unity package’. The Unity Engine boasts 200 million installs and has a known roster of over 130 games including Angry Birds Epic, Shadow Blade and Hearthstone: Heroes of Warcraft.
The exploit’s capability varies across browsers and browser versions. Earlier this year Google Chrome disabled NPAPI (browser plug-ins) by default, although users can still turn plugin functionality back on in settings. Mozilla Firefox also announced its intention to part company with NPAPI, which hails back to the 1990s, when web browsers could only load rich content by becoming a wrapper for third-party or custom code such as the Macromedia (later Adobe) Flash Player, the Adobe Acrobat Reader plugin, and the Sun (later Oracle) Java plugin.