1. 18
  1.  

  2. 10

    Is anyone else thinking these headless modes in Chrome and Firefox are going to be targeted by malware to do more realistic browsing/spamming from compromised machines without having to download anything extra?

    1. 3

      The problem is not the ‘browser’ but your install footprint and how you economically make your traffic come from residential IPs.

      The problem with a headless browser is that your maliciousness is limited to what you can do in a regular browser anyway, otherwise you need a pile of C++ developers that can wrap themselves around a browser codebase to fork your own version.

      MethBrowser, the name the creators used for the marketing ‘splurg’ called MethBot, used a much saner strategy where they wrote enough node.js (mocking window, document, etc) to make JavaScript scripts think they were running in a web browser (including having Flash running). This meant development was 100x easier and faster plus they could mutate content as it loaded in too.

      Most amusing you was to save bandwidth instead of downloading the .mp4 they used a locally stored Lego technics video show some automated crank thing. Ironic I felt and side creasing to watch.

      The original author, a contractor by looking at the git history, an interesting read in its self, is a bright guy and what he put together was simply stunning.

      Their downfall was that the sandboxing sucks and you can break out using constructor.

      1. 1

        The problem with a headless browser is that your maliciousness is limited to what you can do in a regular browser anyway, otherwise you need a pile of C++ developers that can wrap themselves around a browser codebase to fork your own version.

        Depends on what you define as maliciousness. Some headless browsers can be scripted with JS; that might be all you need to systematically misuse a web property.

        1. 1

          It is more the JS that runs in the browser than what you are using to drive it which is the limiting factor I am referring to. For example, in a vanilla headless browser, from JavaScript you cannot ‘massage’ what location.ancestorOrigins says to other scripts running on the page.

      2. 1

        it looks like headless mode will be a command-line argument, so… for malware to run a headless Chrome or Firefox, it may already need to be able to start a new process. If the malware can already start a new process, not needing to download anything extra doesn’t seem like a huge ease-of-compromise improvement, but I am literally Just A Random Non-Security Developer.

      3. -1

        Sweet!