New browser attack lets hackers run bad code even after users leave a web page

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
They can't hack those,can they? :LOL::LOL::LOL: I love being old school!
Do not underestimate NSA and CIA. They spy Russians for many years (and vice versa).:giggle:
Hence they keep secrets by typewriter :)

During much of the Cold War typewriters were state of the art, so they were the focus of spooks and spies just as mobile phone networks, emails and social networks are today. Techniques were developed to use cheap microphones to listen to key taps and decipher what was being written, spy cameras could peer over typist’s shoulders and undercover agents could photograph and leak documents. Debonair KGB agents were even tasked with seducing typists and winkling information from them.

In 1984 the NSA became paranoid about the extent of this sort of Russian infiltration and began what it called Project Gunman, under which it replaced every piece of communications equipment at embassies in Moscow and Leningrad. It shipped the old devices back to the US for analysis, and when they were X-rayed it was discovered that 16 IBM Selectric typewriters had been bugged. For eight years they had sent the contents of every single document to the Kremlin, via a man crouching outside with a radio receiver.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Before we get too bent out of shape over this, please note that it is just a Proof of Concept. It is not malware that actually exists. And, like so many thousands of other vulnerabilities, it will probably be patched by Google and Mozilla and MS before it hits the wild.
 

SumTingWong

Level 28
Verified
Top Poster
Well-known
Apr 2, 2018
1,706
A good reason to sandbox the browser, and deny its access to cookies, history, passwords, etc.:cautious: Strangely, the article stated this won't work on Internet Explorer, the one browser I wouldn't be caught dead using.

Shadow Defender work in this case?
 
  • Like
Reactions: Weebarra

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Before we get too bent out of shape over this, please note that it is just a Proof of Concept. It is not malware that actually exists. And, like so many thousands of other vulnerabilities, it will probably be patched by Google and Mozilla and MS before it hits the wild.
I am afraid that using legal HTML5 APIs for infecting a web browser is somewhat similar as using LOLBins (LOLLibs) for infecting the system.
 
Last edited:

Deletedmessiah

Level 25
Verified
Top Poster
Content Creator
Well-known
Jan 16, 2017
1,469
HTML5, which can not be blocked as easily as flash. Who would have thought. And this is just the beginning, so much for the hated flash. :cautious:


It seems to utilize iframes like crypto-mining malware, so blocking them should help, like popup blockers do.
I miss the click to play option that was in flash. In html5 you maybe able to stop autoplay but media still loads, wastes your bandwith and resources.
 

mathieuh

Level 1
Feb 25, 2019
3
Before we get too bent out of shape over this, please note that it is just a Proof of Concept. It is not malware that actually exists. And, like so many thousands of other vulnerabilities, it will probably be patched by Google and Mozilla and MS before it hits the wild.

Except that there's actually no proof of concept, just a paper making allegations without any actual demonstration or code.
Please see

If there is indeed a way to achieve persistence, it's with a specific browser implementation, not the Service Worker API.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Except that there's actually no proof of concept, just a paper making allegations without any actual demonstration or code.
Please see

If there is indeed a way to achieve persistence, it's with a specific browser implementation, not the Service Worker API.

Thanks for the link. Good reading.
 
  • Like
Reactions: Deletedmessiah

Moonhorse

Level 37
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,602
wrote:About Push in Pale Moon:
Pale Moon mixed content blocking

Service workers in Pale Moon:
Service workers are a terrible idea, unless you actually enjoy the idea of having your browser do stuff "in the background" that you have absolutely no control over.
We have no plans whatsoever to implement or enable this, because it's a privacy and security nightmare.

Taken from palemoon forums
 

Kubla

Level 8
Verified
Jan 22, 2017
355
So based off reading this, in theory Scriptsafe could potentially stop the Javascript execution of this type malware, this stopping the infection?

~LDogg

Or using the script blocker built in to Brave for everything but your trusted sites.
 
  • Like
Reactions: plat

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Or using the script blocker built in to Brave for everything but your trusted sites.
That's an interesting point. The element being abused here is HTML5. Wikipedia says about it: "HTML 5 on its own cannot be used for animation or interactivity – it must be supplemented with CSS3 or JavaScript. "
So the question is: if we block javascript, will it block this exploit?
 
  • Like
Reactions: TairikuOkami

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
Or using the script blocker built in to Brave for everything but your trusted sites.
I think Scriptsafe is fairly easier and user friendly, plus you can choose what scripts to allow. Brave's in-built blocker just blocks everything without the chance to choose which ones you wish to allow. So it's either all Javascript on or off, this can break websites which use JS as it's source.

~LDogg
 

Moonhorse

Level 37
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,602
From: Service Worker - first draft published

Being able to run JavaScript before a page exists opens up many possibilities, and the first feature we're adding is interception and modification of navigation and resource requests. This lets you tweak the serving of content, all the way up to treating network-connectivity as an enhancement. It's like having a proxy server running on the client.

Browsers with service workers: Can I use... Support tables for HTML5, CSS3, etc

So yes its more likely javascript, so tools like no-script + scriptsafe or ublock can be used avoiding it
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
Brave's in-built blocker just blocks everything without the chance to choose which ones you wish to allow. So it's either all Javascript on or off
Brave does allow granular control of scripts, just so you're aware:
209336
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
So it's either all Javascript on or off, this can break websites which use JS as it's source.

~LDogg
You can make exceptions for the sites you want. I don't use Brave, but I do pretty much the same thing in Chrome. I bookmarked the Chrome settings page with the javascript button, and I have it toggled off, but to the right of the omnibar, Chrome puts a little javascript icon that I can click on, and make an exception for a certain site.

I actually do the same thing with Chrome image blocker, but that is not so much for security reasons, it's more for "decency" reasons.

EDIT: I just saw that @Arequire already made the same basic point.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top