New issue
Advanced search Search tips

Issue 879381 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Aug 30
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery

Reported by giac...@tesio.it, Aug 30

Issue description

UserAgent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

Steps to reproduce the problem:
Extensively described at:
1. https://bugzilla.mozilla.org/show_bug.cgi?id=1487081
2. https://lobste.rs/s/vwcetz/undetectable_remote_arbitrary_code
3. https://medium.com/@giacomo_59737/the-web-is-still-a-darpa-weapon-31e3c3b032b8#5eab

these attacks leave NO evidences into the user's machine

What is the expected behavior?
The browser should not blindly execute programs that could be customized to attack the user or a third party through the user machines.

The execution of any program should be opt-in instead of opt-out.

JavaScript pages should be marked as "Not Secure" just like HTTP ones.

What went wrong?
An malicious server or CDN could gain control of several victims' resources like

- their IP
- their bandwith
- their computing power
- their RAM
- their disk (through browser cache)
- potentially others resources (gained through access to system vulnerabilities, think about Spectre/Meltdown)

This sort of attacks will be made even worse through the distribution of optimized WebAssembly (that will be way more obscure than obfuscated JavaScript)

Did this work before? No 

Chrome version: <Copy from: 'about:version'>  Channel: n/a
OS Version: 
Flash Version:
 
Labels: Restrict-AddIssueComment-EditIssue
Status: WontFix (was: Unconfirmed)
Filing a bug here isn't the way to change web standards no matter how you feel about them.
Project Member

Comment 2 by sheriffbot@chromium.org, Dec 7

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment