privacy-and-security icon indicating copy to clipboard operation
privacy-and-security copied to clipboard
verified publisher icon immersive-web

Consider defenses against Malicious Entity Injection (MEI)

Open peterclemenko opened this issue 7 years ago • 5 comments

Malicious Entity Injection, or MEI (writeup at mei.ninja), is an attack I've researched and found exploitable in certain situations for Unity3D apps. Prevention mechanisms should be put in place to prevent malicious loading of entities from third party sources such as ad networks and content integrity/signature checks on entities loaded.

Without MEI defenses, an attacker potentially has the ability to inject entities that can be used to manipulate or harm a user. Currently, HTTPS and TLS are adequate for defending against MEI in Unity3D form, however with mixed content loading (IE ad networks), or broken TLS implementations, it's possible to compromise what's loaded. Something similar to CSP needs to be developed to defend against MEI in the JS realm as well.

peterclemenko avatar Sep 17 '18 12:09 peterclemenko

Not sure that this is an issue for WebXR and related web-based standards. I'm pretty sure the standard web sandbox already deals with this sort of thing.

Downloading and loading unity content from untrusted sources (i.e., not your own servers, over secure connections) would be somewhat insane, wouldn't it? It's be like using something like exokit to run code at a URL "somewhere on the net".

blairmacintyre avatar Oct 11 '18 19:10 blairmacintyre

Agreed, we believe this threat vector is addressed by other baseline web standards (e.g. HTTPS to ensure integrity of the downloaded asset). I'd suggest we close this issue unless there is something unique to the immersive web that needs to be considered?

johnpallett avatar Oct 23 '18 12:10 johnpallett

I half agree. This should be used as a means to push for HTTPS as a best practice. That being said, HTTPS has had attacks in the past to decrypt and reencrypt a modded payload, so there needs to be further consideration for defenses beyond just "encrypt the traffic". Content signing might help.

peterclemenko avatar Jan 29 '19 21:01 peterclemenko

So I don't know where to put this, but I think there's going to need to be a content loading API for browsers. With how the web currently works, we have content for one site loaded from all over the place. We're gonna need a CSP style loading API with a signing system that allows fine grained controls of what loads from where with content validation. If not, a malicious attacker could pop a content repo and swap content that could cause harm to users.

This is probably going to require a new API, but frankly, it relates to immersive as this is when it's going to come in to the "oh god why is there a car coming at me, I better swerve" crash "wait, there was a car, what the fuck?" territory.

peterclemenko avatar Jan 30 '19 00:01 peterclemenko

As far as using exokit to load random content, to be blunt, I've seen stupider stuff happen in the field. This is something where I suspect the real problem will come in to play as CDNs come online for XR and ad networks start hitting XR. A lot of malware is pushed through malicious advertisements, including ransomware. I suspect the real attacks will happen through malicious ads hosted by ad networks.

peterclemenko avatar Jan 30 '19 01:01 peterclemenko