One Weird Kernel Trick: Hijacking IPython Websockets

One Weird Kernel Trick: Hijacking IPython Websockets

Lightning talk at #SciPy2014. Vulnerability disclosure of cross domain websocket hijacking in the IPython notebook. https://twitter.com/rgbkrk/status/487369535456935936

See also: http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython

E76c7ebc9d2e8a4b840f13cd01946437?s=128

Kyle Kelley

July 10, 2014
Tweet

Transcript

  1. One Weird Kernel Trick Hijacking IPython Websockets

  2. The IPython Notebook • Runs code on your (laptop |

    server | cluster | pi) • From your browser… • JavaScript -> Notebook Server -> Kernel • Kernel.execute
  3. Kernels and websockets

  4. Kernel Notebook Server ! http://127.0.0.1:8888 Kernel

  5. Hijacking Websockets

  6. Kernel Notebook Server ! http://127.0.0.1:8888 Kernel MALICIOUS Server ! kerneltricks.com

    NEW TAB!!!
  7. ws://127.0.0.1:8888/kernels

  8. Kernel Notebook Server ! http://127.0.0.1:8888 Kernel MALICIOUS Server ! kerneltricks.com

  9. !

  10. Mitigations • Kernel ID is a UUID, randomly generated •

    Using an authenticated notebook server protects you from this issue • Fixed in IPython 1.2+, 2.x series
  11. Let’s talk security

  12. security@ipython.org