The Meltdown of the Web.
Giacomo Tesio
Posted on September 3, 2018
As Bruce Perens recently put it, I'm "just a programmer".
A humble programmer. And a self-taught one.
A programmer that has learned how to program from a weird group of people whose core value is curiosity: the hackers.
So when I see a security hole affecting in various ways billions of people, I behave like a programmer. I try to fix it... or get it fixed. As soon as possible.
So a mounth ago, I wrote an article explaining how the Web is still a DARPA weapon (that sometimes backfire, as the Russiagate shows).
There I describe two dangerous flawns of the Internet and the Web.
Once I realized that most security experts didn't understand the severity of the issue, I talked about it with a Mozilla developer that suggested to open an issue to Mozilla.
Thus I spent two hours to write a detailed bug report, but it was soon closed (without saying if the Firefox users are vulnerable to such attacks or not), because
Bugzilla is not a discussion forum.
On the suggested Lobste.rs thread (cached here), I asked if Firefox users are vulnerable to such wide class of attacks (several times) without getting a response.
Instead I got several sarcastic, condescending and even - insulting - comments.
Still, no response to such a simple question. Are Firefox users vulnerable?
When I reported the same issue to Chromium team, it was closed in less than ten minutes with the same tone:
Filing a bug here isn't the way to change web standards no matter how you feel about them.
It worth noticing here that both Mozilla and Google are WHATWG members and they write the Living Standards that we are talking about. Living Standards that basically follow the implementations.
To my money, this means that you have to fix the implementations to fix the standard... but remember, I'm just a programmer!
Now, I think I've been very clear about the wide class of attacks that JavaScript opens. When asked to, I even carefully explained how simple is to fix them.
But since
this is the Web functioning as designed
I want you to see what the Web is designed for.
PoC of one of the many possible exploits (bypassing corporate firewalls)
Please add a temporary line to your C:\Windows\System32\drivers\etc\hosts containing
127.0.0.1 local.jsfiddle.net
This mimic the control of a DNS from the attacker.
Then try this simple JSFiddle with a WHATWG browser.
You can change the port number at line 21 to test for any port on your PC.
You can change the IP in /etc/host to probe other machines on your LAN.
JSFiddle (the fictional attacker) has just bypassed your corporate firewall/proxy.
Everything is broken.
This is just one of the uncountably many attacks you can do this way.
I could go on hours inventing more attacks. And you should be able too.
EDIT: here you can find another exploit
As explained in the bug report, you can target a specific person or group.
Even over a CDN (thus through a third party site that the victim trusts).
And then you can reload an harmless script from the same url, rewriting the cache copy and removing all evidences of the attack.
It's really just a matter of compentence and fantasy.
Still I'm not going to find a cool name or draw puppets to "evangelize" about it. I'm a programmer, not a clown.
How can we fix it?
As I explained in the bug report, the technical solution is basically to
- make users opt-in to program executions on a per-website basis
- threat such programs as potentially dangerous
You can read a simple recap with details here.
However, what you can see here is how deeply the Web is broken.
This is not (just) about JavaScript.
This is about people.
Posted on September 3, 2018
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.