In this presentation, we examine a series of information disclosure flaws uncovered in Mozilla Firefox, with particular emphasis on how URL protocol handlers can pose security threats. Our investigation shows that attackers can leverage subtle timing variations and side channels to detect installed applications and configured URL protocols. Notably, the vulnerabilities CVE-2024-5690 and CVE-2024-9398 enable adversaries to profile user systems and gather reconnaissance data without any direct interaction from the user.
This research underscores the critical need to address emerging side-channel exploits in modern browsers and offers practical guidance for developers and security professionals alike. By applying these insights, it is possible to strengthen user privacy and mitigate advanced exploitation tactics in today's threat landscape.

The Hybrid Broadcast Broadband TV (HbbTV) is a protocol developed to combine standard television broadcasts with digital content over the Internet. In 2009, an industrial consortium led by the German broadcaster RTL launched the HbbTV initiative, setting a standard for a broadcast/broadband hybrid protocol to deliver content to Smart TVs, set-top boxes, and other connected multiscreen devices in an interconnected environment. With millions of supported devices around Europe, questions about the protocol's security arise. Recent studies have already shown that HbbTV provides users with little or no security and privacy. HbbTV's security and privacy issues are manifold. They range from a simple echo request from the broadcaster to check if the user is still watching to content-based attacks that replace URLs to show viewers different content than was intended. These issues have also been abused in practice, most recently in May 2022 when hackers exploited HbbTV broadcasts of Russian TV stations to show anti-war messages.
In our work, we analyzed the security of HbbTV applications by doing practical experimental research on selected smart TVs. Notably, we focus on three different Target of Exploitation (ToEs) from Toshiba, Samsung and LG vendors. We selected such devices as they support different Operating Systems (OS), respectively Android TV, Tizen OS and WebOS, and are manufactured in different years. By analyzing their software, we can infer that HbbTV adopts a different browser than the one advertised by the TV.
Following, we demonstrate how anyone can develop and deploy their malicious HbbTV application. We show the feasibility of HbbTV hijacking attacks by replacing the legit application in a (pre-recorded) broadcast stream and re-modulating the signal to a Smart TV. We exploit our ToEs smart TVs using HbbTV following our proposed threat model. In particular, we focus on Denial of Service (making the TV unusable), Spoofing (replacing news banners with fake ones), and Phishing (tricking users into inputting sensitive information, like credentials) threats. All our three ToEs are affected by such threats, showing the risks that users are subject to. Finally, we show how both the Toshiba and LG TVs can be used to scan the local network they are connected to and send HTTP requests to other connected devices, broadening the attack surface and potentially hindering the safety of users in case of critical devices connected, such as health monitors.

Compass Security participated in the Pwn2Own 2023 contest held in Toronto, focusing on the Synology BC500 IP camera within the Surveillance Systems category. Our team successfully discovered various vulnerabilities, including one for which we wrote an unauthenticated Remote Code Execution (RCE) exploit. We'll begin the talk by explaining the analysis we performed on the physical device.
We'll showcase the discovered debugging interfaces and outline how we analyzed the authentication mechanism and gained shell access as root. This was the first step required for starting the vulnerability discovery process.
In the next section we'll explain the weaknesses we discovered during our investigation and we'll talk about the exploitation of the unauthenticated RCE, highlighting unique challenges introduced by the Pwn2Own competition, such as stringent time constraints and collision concerns, which may not necessarily affect real-world attackers.
Finally, we will describe the development process we used to write the proof of concept of the exploit. We'll talk about various challenges we encountered and design choices we made to ensure the creation of a robust and reliable exploit.
You can find all the articles describing this whole process in details in our blog.