Script-blocker NoScript lets in ANYTHING from googleapis.com
Whitelisting tool was too trusting, by far
Detectify security researcher Linus Särud has reported a weakness in popular Firefox security tool NoScript that allows attackers to have their malware whitelisted.
Such folk will be disappointed to learn that Särud (@_zulln) says attackers could upload their net menace of choice to any free Google subdomain and have it slip through NoScript's defences.
The researcher says blanket whitelisting of googleapis.com means he was able to create a script that could pass default NoScript configurations and be executed within user browsers.
"My first thought was to try to find some interesting subdomain to any of these domains, such as an old forgotten domain still pointing to a service online, Särud says.
"As all subdomains also are whitelisted, I understood storage.googleapis.com would work just fine.
Särud notified NoScript which quickly altered the whitelist entry for googleapis.com to instead allow only Google's hosted libraries at ajax.googleapis.com.
The researcher probed NoScript after fellow hacker Matthew Bryant (@IAmMandatory) found a host of disused default whitelisted domains and purchased one to successfully launch attacks that bypassed default installations.
Bryant intended to launch a store cross-site scripting attack on a subdomain trusted by default for any out-of-the-box whitelisted domains.
"I encourage [everyone] to please purge your whitelist. Remove everything you don't trust," Bryant says.
"It is my opinion that universal bypasses for NoScript should actually be quite easy to find since the default whitelist exposes so much surface area."
NoScript users can review their whitelists through the options feature. ®