How did they end up with this? Just how? 😭
I keep looking for something making this considerably more advanced than the proxy modules I implemented for PfP (5 kB of code). Yes, somewhat pointless privilege checking – a trivial addition. Yes, publish/subscribe model for events – not a big deal either. Nothing there…
There are factories creating exactly one type of object. Superclasses with exactly one subclass. And lots of message serializers – one module for each type of message. Didn’t anybody think of generalizing message creation? But lots of pointless generalization here.
I’m still looking into Amazon Assistant code a bit, and the overengineering level of this whole thing is astonishing. The UBPClient library is 760 kB of code which are duplicated all over the place. Merely for communication between different frames.
One of the extensions managed to bring out five (5!) minor updates in the time, yet leave the vulnerable code completely unchanged. They have three weeks to go before disclosure, I should start writing the article…
I love Wikipedia, there has never been more information available to anyone. But it is always good to remember what it does not show.
All of this sounds too familiar, and my name isn’t even too unusual for the German ear (no more unusual than some names German kids get). I was lucky and people started recognizing my name thanks to Klitschko. But I also know a girl who preferred going by a “simpler” name.
And sometimes it’s not the end of the story. There is another massive “visitor” spike at 2 AM. Turns out, that’s another 800 Fediverse servers because @nolan posted a link to this article. And he has a larger followership than me, meaning more Fediverse servers who need to fetch metadata. 😀
Disclosure time: two fairly typical vulnerabilities in DuckDuckGo Privacy Essentials. One is still unresolved on Firefox and Edge but can only be exploited from their server. #DuckDuckGo #privacy #infosec
But any JS file that you can smuggle an importScripts call into is a potential service worker. You still need reflected XSS to register it, but severity increases drastically. A service worker can mess with any URL in its directory, and it persists even after a browser restart.
Whether and when PoC code for vulnerabilities should be published is a complicated topic, many different aspects playing a role here. Whether Microsoft should use their privileged access to GitHub in order to remove PoC code for their product is simple on the other hand: no.
Hard to believe but in Mozilla browser (pre-Firefox) a webpage could request UniversalXPConnect privilege. If the user accepted, it got full access to their system. How was accepting this request ever a good idea, even with trusted websites?
I’ve seen a number of trust models for the web come and go, granting application-like privileges to web pages was always too risky. And I think that’s because misuse of these privileges is just so unlikely to be detected. On the web, different code for everyone is the rule.
Wladimir Palant, software developer and security researcher, browser extensions expert. He/him
Other Mastodon account for non-technical topics: https://social.tchncs.de/@WPalant
A Mastodon instance for info/cyber security-minded people.