I guess I mixed things up here. Looking through Mozilla’s code history, <iframe mozbrowser> used to have this effect but it was never available to regular web pages.
They *almost* got it secured. But there was this one jQuery quirk they failed to consider, probably didn’t even know existed. Sorry, that’s Remote Code Execution for you. 🤷♂️
The way this library tries to anticipate what you *might* have meant is a disaster.
Friendly reminder: #jQuery isn’t a good security choice.
Looking at a jQuery-based browser extension right now. The developer clearly made much effort to do it right. Almost no messing with HTML code, all values inserted escaped. ▶️
They decided to accept the reports via email after all, despite it not being their usual process. I guess I won’t add that snarky comment to the article to be written. That’s a good thing, I feel like I’m complaining too much already.
Oh, that’s why people list both their bug bounty program and email address in security.txt: so that, when contacted via email, they can respond with a request to resubmit via bug bounty program. 🤦♂️
Ok, six vulnerability reports sent. Deadline is April 19, and I can move on now.
But at least they have security.txt and a contact other than their bug bounty program. This will save me some time.
I have the proof-of-concept exploits (including the one bypassing same-origin-policy) done, but filing reports on all the vulnerabilities I found in the process will take time. There have been plenty…
Neat, they are using document.domain. So the attack surface just increased to encompass all of their web properties. *evil laugh*
@Chaos_99 I’m not sure whether you are aware of the context here: https://moxie.org/2022/01/07/web3-first-impressions.html
Given this context, it’s a massive difference whether we expect everyone to run their own server (unrealistic) or whether we merely want to make sure everyone has a choice of who they want to trust (far more realistic but still suboptimal if the promise was to get rid of such trust anchors).
@ondra I’d go with the more realistic “use regulation, financial incentives and whatever other measure works to keep competition alive, making sure there is a number of usable competing solutions including open source ones.” Not as ideal, but I just don’t see anyone put anywhere close to the amount of effort into a decentralized web as in democracies.
@ondra You yourself brought the perfect counterargument to that. Democratic countries put massive effort into educating the population. In addition, a number of control instances have been designed specifically to guard against a majority that will willingly hand the power to a dictator. And yet we’ve seen several democracies struggle or fail in recent years alone. Any concepts relying on people doing the “right” thing are fragile to impossible.
@ondra Let’s talk again once the benefits and inner workings of the distributed web are taught in school. With at least the same number of hours that democracy gets. 🙃
Wladimir Palant, software developer and security researcher, browser extensions expert. He/him
A Mastodon instance for info/cyber security-minded people.