The Meltdown of the Web (with a trivial PoC exploit)

-2

The Meltdown of the Web (with a trivial PoC exploit) ☶ browsers javascript privacy security web dev.to
authored by Shamar 2 days ago | cached | 5 comments | +2, -1 already posted, -3 spam

5

Here I show (with a trivial Proof-of-Concept) how to bypass corporate firewalls through any WHATWG browser.

It’s just one of the uncountably many attacks a competent developer could create, but should give a taste of the severity of the issue that Mozilla and Google will not fix.

sebboh 30 hours ago | link

@Shamar,

You’re right. But, your approach is flawed.

Can you extol the virtues of a non-executable web, instead?

To @arnt and the commenters on the article, whom talk about tricking users into clicking YES… How exactly is a website going to prompt when the allegorical NX bit is set?
1. Shamar 24 hours ago | link
  Well I think it’s pretty easy to imagine a web without JavaScript:
  
  aesthetically it would be pretty similar to the current one because of lacking JS would give us
  
  better typography
  
  better stylesheets (to be kept NOT Turing complete)
  
  probably more tags (Imagine a tag <slide> or a <tree> tag)
  
  we could use standard XMLNS to enrich the contents
  
  with semantic context
  
  with better document search
  
  with accessibility tips for machines
  
  we would have better forms
  
  with more controls
  
  with a micro language to validate inputs
  
  it would be faster (to download and to render)
  
  it would be safer (obviously, given this class of attacks)
  
  it would be more privacy friendly (JavaScript can even detect if you zoom on text or on a certain image and tell it to Google so that they can advertise better glasses or something)
  
  it could even have an <advertisement> tag to make them less annoying
  
  it would be more stable (for various reasons, lighters tabs, simpler…)
  
  it would be easier to learn for newcomers
  
  DISCLAIMER:
  
  While I do think that the vulnerabilities we are talking are so severe and dangerous that they deserve the emergency fix I proposed in the bug report, I do not think that we should suddenly remove JavaScript from the web.
  
  While it’s true that I do not like the JavaScript language, I just think that people should have the right to choose who can execute custom programs on their device.
  
  IMHO, making JavaScript opt-in on a per site basis would not break the Web, it would fix it.
  
  Many wouldn’t use such feature and run every script they can reach.
  But many others would use such freedom and control. And now, they cannot.
  Instead, their security is at risk. And they are unaware of such risk.
  1. sebboh 6 hours ago | link
    
    So, you want to load and view documents that are rendered from declarative source code rather than imperative source? I can get behind that!
    
    JavaScript can even detect if you zoom on text or on a certain image and tell it to Google so that they can advertise better glasses or something
    
    You’re worried that high resolution micro-interaction data (mouse hover, scroll linger, etc) may reveal that I need eyeglasses? :) It may reveal that, but I’m more concerned that it would reveal my favorite color, or favorite body type. This type of data collection is my pet peeve. It’s nobody’s business which images or text I linger over in my idle time!
    
    In the distant past of the late nineties, I used to teach fellow travelers that .txt, .jpg, .gif, and .html files are safe and .exe, .com, and .bat files were unsafe. It was a bright line and it helped users be responsible for their own online safety. That browser vendors decided to allow executable scripts inside otherwise declarative documents obliterated that bright line.
3

arnt 2 days ago | link

The proposed fix isn’t: We already know that users can be made to click “yes” with a bit of social engineering. Not all users all of the time, but few attacks need to work against all users all of the time.

More generally, this attack seems to be just another instance of conflicting security models. Kudos to Google and Mozilla for accepting that they have to choose, and sticking with their choice.
1. 2
  
  Shamar 2 days ago | link
  
  And I really think that they have the right to choose!
  Same for Microsoft, Apple, Opera.. all have the right to pursuit their own priorities.
  
  But, IMHO, they should clearly inform their users about the risks of using their browsers.
  Including corporate users, obviously. And governments…