Arequire

Level 25
Verified
Content Creator
They can't hack those,can they? :LOL::LOL::LOL: I love being old school!
Do not underestimate NSA and CIA. They spy Russians for many years (and vice versa).:giggle:
Hence they keep secrets by typewriter :)
During much of the Cold War typewriters were state of the art, so they were the focus of spooks and spies just as mobile phone networks, emails and social networks are today. Techniques were developed to use cheap microphones to listen to key taps and decipher what was being written, spy cameras could peer over typist’s shoulders and undercover agents could photograph and leak documents. Debonair KGB agents were even tasked with seducing typists and winkling information from them.

In 1984 the NSA became paranoid about the extent of this sort of Russian infiltration and began what it called Project Gunman, under which it replaced every piece of communications equipment at embassies in Moscow and Leningrad. It shipped the old devices back to the US for analysis, and when they were X-rayed it was discovered that 16 IBM Selectric typewriters had been bugged. For eight years they had sent the contents of every single document to the Kremlin, via a man crouching outside with a radio receiver.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Before we get too bent out of shape over this, please note that it is just a Proof of Concept. It is not malware that actually exists. And, like so many thousands of other vulnerabilities, it will probably be patched by Google and Mozilla and MS before it hits the wild.
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
Before we get too bent out of shape over this, please note that it is just a Proof of Concept. It is not malware that actually exists. And, like so many thousands of other vulnerabilities, it will probably be patched by Google and Mozilla and MS before it hits the wild.
I am afraid that using legal HTML5 APIs for infecting a web browser is somewhat similar as using LOLBins (LOLLibs) for infecting the system.
 
Last edited:

Deletedmessiah

Level 23
Verified
Content Creator
HTML5, which can not be blocked as easily as flash. Who would have thought. And this is just the beginning, so much for the hated flash. :cautious:


It seems to utilize iframes like crypto-mining malware, so blocking them should help, like popup blockers do.
I miss the click to play option that was in flash. In html5 you maybe able to stop autoplay but media still loads, wastes your bandwith and resources.
 

mathieuh

Level 1
Before we get too bent out of shape over this, please note that it is just a Proof of Concept. It is not malware that actually exists. And, like so many thousands of other vulnerabilities, it will probably be patched by Google and Mozilla and MS before it hits the wild.
Except that there's actually no proof of concept, just a paper making allegations without any actual demonstration or code.
Please see
If there is indeed a way to achieve persistence, it's with a specific browser implementation, not the Service Worker API.
 

Moonhorse

Level 28
Verified
Content Creator
wrote:About Push in Pale Moon:
Pale Moon mixed content blocking

Service workers in Pale Moon:
Service workers are a terrible idea, unless you actually enjoy the idea of having your browser do stuff "in the background" that you have absolutely no control over.
We have no plans whatsoever to implement or enable this, because it's a privacy and security nightmare.
Taken from palemoon forums
 

Kubla

Level 7
Verified
So based off reading this, in theory Scriptsafe could potentially stop the Javascript execution of this type malware, this stopping the infection?

~LDogg
Or using the script blocker built in to Brave for everything but your trusted sites.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Or using the script blocker built in to Brave for everything but your trusted sites.
That's an interesting point. The element being abused here is HTML5. Wikipedia says about it: "HTML 5 on its own cannot be used for animation or interactivity – it must be supplemented with CSS3 or JavaScript. "
So the question is: if we block javascript, will it block this exploit?
 

LDogg

Level 32
Verified
Or using the script blocker built in to Brave for everything but your trusted sites.
I think Scriptsafe is fairly easier and user friendly, plus you can choose what scripts to allow. Brave's in-built blocker just blocks everything without the chance to choose which ones you wish to allow. So it's either all Javascript on or off, this can break websites which use JS as it's source.

~LDogg
 

Moonhorse

Level 28
Verified
Content Creator
From: Service Worker - first draft published

Being able to run JavaScript before a page exists opens up many possibilities, and the first feature we're adding is interception and modification of navigation and resource requests. This lets you tweak the serving of content, all the way up to treating network-connectivity as an enhancement. It's like having a proxy server running on the client.
Browsers with service workers: Can I use... Support tables for HTML5, CSS3, etc

So yes its more likely javascript, so tools like no-script + scriptsafe or ublock can be used avoiding it
 

shmu26

Level 85
Verified
Trusted
Content Creator
So it's either all Javascript on or off, this can break websites which use JS as it's source.

~LDogg
You can make exceptions for the sites you want. I don't use Brave, but I do pretty much the same thing in Chrome. I bookmarked the Chrome settings page with the javascript button, and I have it toggled off, but to the right of the omnibar, Chrome puts a little javascript icon that I can click on, and make an exception for a certain site.

I actually do the same thing with Chrome image blocker, but that is not so much for security reasons, it's more for "decency" reasons.

EDIT: I just saw that @Arequire already made the same basic point.
 
Top