Thursday, 2 July 2015

Researcher Circumvents NoScript Firefox Through Google Cloud


A researcher has managed to circumvent the popular Firefox extension NoScript by using the Google cloud. NoScript is an extension that can block JavaScript and other code on websites. It thus prevents malicious code on a compromised Web site can be started or ads, trackers and active content are automatically loaded.

The add-on protects both security and privacy. More than 2.2 million Firefox users have installed NoScript, making it one of the most popular extensions for Firefox. NoScript also allows users to set up a whitelist domains. Scripts in this domain will be run automatically. Some areas are already standard on the NoScript whitelist, such as Mozilla, YouTube, Google and Yahoo.

This concerns not only the fields, but also the sub-domains under the domain. Besides google.com also scripts on voorbeeld.google.com automatically accepted by NoScript. Recently discovered researcher Matthew Bryant that one of the areas that had expired stood on the NoScript whitelist and thus was available to everyone. Bryant registered the domain and placed here Javascript code, which automatically performed by NoScript. The developer of NoScript came with an update so that the domain from the default whitelist has been removed.

The publication of Bryant urged another researcher to look for a new opportunity, as well as subdomains of whitelisted domains attack vector for an attack can be used. Researcher Linus Sarud saw that the domain googleapis.com standard in the whitelist, meaning that script code storage.googleapis.com this is done by default. Through this domain, users can host files as they use the Google cloud storage. Another researcher named Mathias Karlsson worked out the idea and came up with code that NoScript was again defeated.

The problem has been fixed by the domain googleapis.com change to the whitelist in ajax.googleapis.com . However, subdomains are still automatically whitelist. Users of NoScript, however, can delete the default whitelist and only own domains to this place.

No comments:

Post a Comment