Disclosure time: two fairly typical vulnerabilities in DuckDuckGo Privacy Essentials. One is still unresolved on Firefox and Edge but can only be exploited from their server. #DuckDuckGo #privacy #infosec
But any JS file that you can smuggle an importScripts call into is a potential service worker. You still need reflected XSS to register it, but severity increases drastically. A service worker can mess with any URL in its directory, and it persists even after a browser restart.
Whether and when PoC code for vulnerabilities should be published is a complicated topic, many different aspects playing a role here. Whether Microsoft should use their privileged access to GitHub in order to remove PoC code for their product is simple on the other hand: no.
Hard to believe but in Mozilla browser (pre-Firefox) a webpage could request UniversalXPConnect privilege. If the user accepted, it got full access to their system. How was accepting this request ever a good idea, even with trusted websites?
I’ve seen a number of trust models for the web come and go, granting application-like privileges to web pages was always too risky. And I think that’s because misuse of these privileges is just so unlikely to be detected. On the web, different code for everyone is the rule.
At least that’s the hope. I mean, there are lots of security researchers, there is antivirus software. A custom Chrome build distributed to only few people will hopefully stick out and be discovered. And Google doesn’t want the resulting backlash.
Given the amount of damage malicious code in an application can do (and occasionally does), this is in fact surprising. Do people really trust e.g. Google that much? Probably not. But outright malicious code in Chrome is likely to be discovered, which makes it too risky.
Amazon’s behavior wrt their bug bounty program is weird. They limited the scope to only specific amazon[.]com subdomains, even though compromise on any subdomain affects the entire domain. And they won’t disclose any reports. #BugBounty
Amazon Assistant extension turned out to be designed in a very “special” way: all of its logic is located on Amazon web servers. This gives Amazon access to a very wide range of information in browsers of extension’s users. #privacy #infosec #Amazon
Ok, I’m proofreading the article, should publish it shortly. It got really long once again…
Then again, I’m not sure that I will be done on Monday. This is even bigger than I thought originally. 🙄
Wladimir Palant, software developer and security researcher, browser extensions expert. He/him
Other Mastodon account for non-technical topics: https://social.tchncs.de/@WPalant
A Mastodon instance for info/cyber security-minded people.