Index
> Heap > Why we should always disable JS, Wasm and FlashGoto page Previous 1, 2, 3 ... 20, 21, 22 ... 24, 25, 26 Next |
| Author |
|
|
revolution
https://thehackernews.com/2019/08/kaspersky-antivirus-online-tracking.html
Quote: "That's a bad idea because other scripts that run in the context of the website domain can access the HTML code at any time—and thus the injected Kaspersky ID. This means in plain language that any website can simply read the Kaspersky ID of the user and misuse it for tracking," the researcher says. |
|||
17 Aug 2019, 06:13 |
|
|
sleepsleep
Any example for non JavaScript web application that we could follow and study?
|
|||
|
17 Aug 2019, 08:15 |
|
|
sts-q
Thank you for posting, revolution!
|
|||
|
17 Aug 2019, 08:50 |
|
|
revolution
Using an img tag will direct the browser to contact a single site. Using JS all scripts from all sites linked on the page can read the HTML code and report back to multiple places.
And if CSS can be used to do the same thing then CSS also needs to be blocked or neutered or something. I haven't looked into it, but you make it sound dangerous. Do you have some links about its abilities? It certainly isn't right that websites can have so much power over the user's browsers regardless of whether it is JS or CSS or whatever. Especially since code coming from webpages can't be audited, and every visitor can receive a different version. Some high-profile reviewer that people trust to tell them what is safe could receive perfectly neutral code, while everyone else gets weaponised code to steal their banking details. And there is the problem. It shouldn't be that we need to trust the remote site to be safe. That is wrong headed. We shouldn't have to care. Browsers can have bugs, they then get fixed to make us safer. JS can be running without bugs, but we need to break it to make us safer. |
|||
|
17 Aug 2019, 16:37 |
|
|
DimonSoft
revolution wrote: Using JS all scripts from all sites linked on the page can read the HTML code and report back to multiple places. revolution wrote: Using an img tag will direct the browser to contact a single site. But it’s the fact of the contact that matters and gives data to a third-party. If the website owner wants its pages to access another site it doesn’t matter which URL is used. revolution wrote: And if CSS can be used to do the same thing then CSS also needs to be blocked or neutered or something. I haven't looked into it, but you make it sound dangerous. Do you have some links about its abilities? The idea is that you can use :visited pseudo-class to detect if the URL of the link has been accessed recently. And then there’s plenty of ways in CSS to attach an image to particular elements (say, background-image property). That’s quite enough. revolution wrote: It certainly isn't right that websites can have so much power over the user's browsers regardless of whether it is JS or CSS or whatever. Especially since code coming from webpages can't be audited, and every visitor can receive a different version. Some high-profile reviewer that people trust to tell them what is safe could receive perfectly neutral code, while everyone else gets weaponised code to steal their banking details. And there is the problem. It shouldn't be that we need to trust the remote site to be safe. That is wrong headed. We shouldn't have to care. You come back to blaming websites while ignoring non-web-applications that have much higher privileges. Remember Thompson’s hack as well: how do you know your debugger shows you what there really is in the executable? how do you know your OS loads exactly the code it lets the debugger to read from disk? how do you know you don’t get tricked by a tricky piece of code that seems valid but in fact does some clever (and malicious) stuff in some corner cases? what will you do with messengers, browsers and those mobile apps “you absolutely need to install to use our service” that are allowed to retrieve arbitrary data from the Internet as well as send your data in return? revolution wrote: Especially since code coming from webpages can't be audited, and every visitor can receive a different version. Some high-profile reviewer that people trust to tell them what is safe could receive perfectly neutral code, while everyone else gets weaponised code to steal their banking details. And that is exactly what happened in the case of Kaspersky antivirus. And it didn’t even involve hacking the website. But wait! We all know having antivirus software may (and does) influence the execution of other programs. Now you can avoid antiviruses which is a good idea. But from the point of view of rights required debuggers are quite the same, and there’s quite a lot of other software that might have such rights. Not even mentioning the OS itself. Man-in-the-middle is not required to be outside, it just has to be between you and the program you try to audit. P.S. Here’s the first link in Google to get the idea: https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense Not that CSS is just another way of detaching visual properties from actual information. There’re custom CSS' in lots of pieces of software around us, not only browsers. Should we stop using best programming practices? |
|||
|
18 Aug 2019, 08:16 |
|
|
revolution
DimonSoft wrote: You come back to blaming websites while ignoring non-web-applications that have much higher privileges. There are many things I can do with a native apps to increase my trust in, and control over, what they can do. |
|||
|
18 Aug 2019, 08:40 |
|
|
sleepsleep
leaking started the moment we read/write through TCP,
is like you went to library, you intended to borrow some books, but you don't want anyone including library to know, but then how library could confirm it was indeed you who returned those books and you were returning them in exact quantity? |
|||
|
18 Aug 2019, 09:23 |
|
|
revolution
sleepsleep wrote: is like you went to library, you intended to borrow some books, but you don't want anyone including library to know, but then how library could confirm it was indeed you who returned those books and you were returning them in exact quantity? |
|||
|
18 Aug 2019, 09:30 |
|
|
revolution
DimonSoft wrote: The idea is that you can use :visited pseudo-class to detect if the URL of the link has been accessed recently. And then there’s plenty of ways in CSS to attach an image to particular elements (say, background-image property). That’s quite enough. It would be very difficult to guess the AVs injected URL when the URL has a GUID type identifier. If CSS can directly read the HTML and immediately extract anything it pleases then that would be a much larger threat than URL guessing. |
|||
|
18 Aug 2019, 10:09 |
|
|
revolution
Yet another example of JS being used to exploit you. And in this case it was to persecute the Uyghurs, but it could have been for anything they wanted
https://googleprojectzero.blogspot.com/2019/08/jsc-exploits.html It all started with JS. After that your owned. You didn't need to click anything, or do anything, other than visit a webpage. Bruce Schneier also reports on this: https://www.schneier.com/blog/archives/2019/09/massive_iphone_.html |
|||
|
03 Sep 2019, 11:50 |
|
|
DimonSoft
Google Project Zero wrote: This can be seen in the following two images, the left one showing the testcase published in the WebKit code repository as part of the bugfix and the right showing the part of the in-the-wild exploit code that triggered the bug. So, it’s not that JS itself let it do the stuff, it’s just the buggy environment that fails to catch out-of-bounds errors. Having a buggy managed environment you could as well trigger it in plain C#, Java, whatever. The victim is the user who opens a webpage. The attacker is the owner of a website containing the page. But website visitor should already trust the website owner, so the victim trusts the attacker. Imagine you have a manager person who is responsible for managing the house you live in, like, say, making sure the house is clean and the bills are paid (browser). You tell the manager (browser) to invite someone for house cleaning (to open a webpage). The cleaning company sends him someone who has just got out of jail (malicious webpage). The cleaner person (malicious webpage) tricks the manager (browser) by exploiting his trusting nature (out-of-bounds bug) into letting him come into your room and steal your money, break everything, etc. (arbitrary code execution and stuff). Now, who’s responsible for the situation? I say that it’s not the fault of the natural language they used to communicate. Whether they spoke Spanish, Latin, Esperanto or HTML, it could still be possible to achieve the goal. You can’t avoid using the language ’cause it’s just a way to express the idea of what should be done (shown to present a webpage to the user). They could have used sign language, pictures and DMDT (direct mental data transmission). The problem is with the trusting manager (browser) but you have explicitly allowed (and even asked) an unreliable person (buggy browser) to meet the threat (malicious webpage). It is the manager’s fault but OTOH he just performed according to your instructions and did what he could. So at the end of the day it’s your fault to trust cleaning company instead of cleaning the house yourself or making the manager wash your floors which he wasn’t taught to (browser has no information from the webpage until it downloads it). Now you either retrieve and process all the data yourself, or you have to trust your browser to be bugless (ha-ha, cool joke!) and the website owner (cleaning company) to be responsible enough not to send bad guys to you. So, are you willing to stop using web browsers and other software that can get and process data from the internet? |
|||
|
04 Sep 2019, 05:35 |
|
|
revolution
DimonSoft wrote: But website visitor should already trust the website owner, so the victim trusts the attacker. Last edited by revolution on 04 Sep 2019, 09:14; edited 1 time in total |
|||
|
04 Sep 2019, 06:09 |
|
|
guignol
|
|||
|
04 Sep 2019, 08:08 |
|
|
KerimF
We have been taught when we were kids and we use teaching our kids now not to trust anyone who is stranger and offers something for free.
How many do we, the adults, break this advice every day? 
I mean, how many do we have to break it, by habit perrhaps, daily? Fortunately, thieves are not interested in a rather empty pocket or house (as mine  ).
We like it or not; every new technology/discovery has always two faces; it could be used for the good or bad; it depends on the situation. Only dreamers (who didn't have yet enough experiences in life) believe that this natural truth could be changed someday. |
|||
|
04 Sep 2019, 08:28 |
|
|
guignol
Any-how, what is wrong with Ruby?
after JavaScript, anything with 'script' in the name (like SomeSkryptt), will sound as BullShit, all the same |
|||
|
05 Sep 2019, 11:39 |
|
|
DimonSoft
revolution wrote:
By running any application that accesses network you implicitly trust the application. Web browser produces its output by processing data retrieved from a website. It’s you who directs browser to that particular website. So you implicitly have to trust the website owner not to trick your browser into doing strange stuff. Just like you have to trust DOC file not to trick your MS Word into doing strange stuff. Trust or stop using all the tech stuff. |
|||
|
05 Sep 2019, 17:12 |
|
|
guignol
In Godd we trust.
|
|||
|
05 Sep 2019, 19:19 |
|
|
KerimF
Quote:
Actually, it is not about 'trust'. It is about the necessity of obedience. Based on my observations, it seems to me that this is life since always. Only the tools in the world's masters/slaves games evolve with time. The good news is that most people around the world don't mind joining and even enjoy most of these games (some are international now). Meanwhile the most powerful rich Elite around the world keep investing, under or above the table, in developing better tools... for a brighter future 
Isn't it a wonderful world |
|||
|
05 Sep 2019, 22:03 |
|
|
revolution
DimonSoft wrote: Web browser produces its output by processing data retrieved from a website. It’s you who directs browser to that particular website. So you implicitly have to trust the website owner not to trick your browser into doing strange stuff. Just like you have to trust DOC file not to trick your MS Word into doing strange stuff. |
|||
|
05 Sep 2019, 22:26 |
|
| Goto page Previous 1, 2, 3 ... 20, 21, 22 ... 24, 25, 26 Next < Last Thread | Next Thread > |
Forum Rules:
|