Script-blocker NoScript lets in ANYTHING from googleapis.com

Whitelisting tool was too trusting, by far

Detectify security researcher Linus Särud has reported a weakness in popular Firefox security tool NoScript that allows attackers to have their malware whitelisted.

The tool is used by some two million security-and-privacy-conscious folk who want to stop active content like JavaScript and Flash getting a foothold in their browsers.

Such folk will be disappointed to learn that Särud (@_zulln) says attackers could upload their net menace of choice to any free Google subdomain and have it slip through NoScript's defences.

The researcher says blanket whitelisting of googleapis.com means he was able to create a script that could pass default NoScript configurations and be executed within user browsers.

"My first thought was to try to find some interesting subdomain to any of these domains, such as an old forgotten domain still pointing to a service online, Särud says.

"As all subdomains also are whitelisted, I understood storage.googleapis.com would work just fine.

"Just by visiting the file JavaScript will execute, even if NoScript with default configuration is installed."

Särud notified NoScript which quickly altered the whitelist entry for googleapis.com to instead allow only Google's hosted libraries at ajax.googleapis.com.

The researcher probed NoScript after fellow hacker Matthew Bryant (@IAmMandatory) found a host of disused default whitelisted domains and purchased one to successfully launch attacks that bypassed default installations.

Bryant intended to launch a store cross-site scripting attack on a subdomain trusted by default for any out-of-the-box whitelisted domains.

That venture was cut short when he found the whitelisted zendcdn.net was available for purchase at just US$10, so he snapped it up and used it to point at his JavaScript payload.

"I encourage [everyone] to please purge your whitelist. Remove everything you don't trust," Bryant says.

"It is my opinion that universal bypasses for NoScript should actually be quite easy to find since the default whitelist exposes so much surface area."

NoScript users can review their whitelists through the options feature. ®




Biting the hand that feeds IT © 1998–2019