Pc World, Is Web 2.0 Safe?

Discussion in 'other security issues & news' started by flinchlock, Jun 7, 2007.

Thread Status:
Not open for further replies.
  1. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    http://www.pcworld.com/article/id,132153/article.html
    (my bolding)

    Mike
     
  2. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Nice read.

    Thanks,

    Chris
     
  3. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    Even better reading, search for any post by @elio.

    I have learned a lot, especially when @elio and @Rmus "discuss" whatever exploit. There are also many other posters that contribute to these discussions. :thumb: :thumb: :thumb:

    Mike
     
  4. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    /me giggles :D

    This is the part I love most:
    Normally... :rolleyes:

    Latest blog entry by Robert Hansen AKA RSnake (quoted by the PC World's article) here: http://ha.ckers.org/blog/20070607/the-javascript-paradox/
     
  5. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    Last edited: Jun 8, 2007
  6. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    This article is still very interesting and full with common sense... :rolleyes:

    Don't get me wrong, PC World's guys are proving to be smart and proactive (see above).
    Maybe this means that they watch this forum or, more likely, that they can read their logs better than someone else who needed a report after one month of this...

    But that's still #3, "Penetrate and Patch", anyway :cautious:

    On the other hand, they are recommending NoScript on their front page right now: there's hope for redemption ;)

    Rich, relax and click, it's nothing harmful. I hope you to enjoy it.
    BTW, I swear on my honor that no link I'll post here will do any harm, just fun (when possible).
    But keeping scripts disabled on message boards is basic hygiene, you're right.
     
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Hello,

    When I read this kind of sentence, I instantly close the article and stop reading.

    Control the browser ... Really? Anyone ... Really?

    Makes me wanna crucify myself, but in a gentle sort of way.

    Mrk
     
  8. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    Yes, really.
    If you're picky, "interact with MySpace impersonating the victim", AKA "session riding".
    Anyone browsing MySpace with JavaScript enabled.
    RSnake would rate this "Anyone" as 99.99% accurate.
     
  9. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    I personally dislike "the rich features"! :thumbd:

    I sure hope the paranoid posters here at Wilder's understand how important brain.exe, FF AND NoScript are to their safety!

    (my bolding in the RSnake quotes)

    Mike
     
  10. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
  11. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    No, not really.

    1. Why would you use MySpace? It's like using AOL.
    2. And I do not agree with "anyone" browsing MySpace with JS enabled - although "anyone" using MySpace is using IE, in which case it is very likely.
    3. Impersonating someone on MySpace - it's much like giving a false name when ordering a roast beef sandwich at Aroma cafe chain. If anyone is going to give their credit card / fall in love / donate kidney to someone called johhny87 on MySpace, well then ...

    Mrk
     
  13. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    You are a pretty funny guy... KEEP IT UP! :thumb: :thumb: :thumb: :thumb:

    Mike

    P.S. No need to reply to this post.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi Elio, it doesn,t seem to work on Opera( while it is working on FF). Why?
     

    Attached Files:

  15. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    Because Opera is SLOW :D

    The "trick" is set to be done after page finishes to load completely (including images and other objects), and your report seems to suggest Firefox finishes sooner.

    This slightly modified version takes care of Opera's sluggishness

    If you post one of your beautiful screenshots when you're done, that would be great :)
     
    Last edited: Jun 8, 2007
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Slow in what? On my system Opera is significantly faster than FF.
    I tried it, nothing happens at all.
     
  17. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    In page loading, seemingly.
    Are you sure you've got JavaScript enabled?
    Maybe you're seeing cache?

    This is what I get on Opera 9.21:
    PCWorldWeb2.jpg
     
    Last edited: Jun 8, 2007
  18. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    That attachment of yours is not there...
    Mrk
     
  19. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    Edited above, thanks... strange, I copied & pasted the code from the "Manage attachment" section, exactly as I've done now o_O
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It works. JS was off for PC world, I was mistaken as Site Preferences in Opera work differently than NoScript.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    OK so there is some kind of XSS vulnerability in the pcworld.com site? And what does it do exactly?

    Also, these kind of things can easily be avoided by going directly to sites were you need to enter important data (online shopping, banking.)
     
  22. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    That's not the point. The vast majority of websites are vulnerable.
    Whatever the attacker decides to do with your browser on the vulnerable website (or to the website appearance as you can see it in your browser), like any other XSS vulnerability. In this case, ironic instant defacing, but it could as easily be comment spam using your browser and your IP, bullet-proof credentials phishing (even automatic through auto-complete), session riding if you're already logged in, malware installation by faking the "downloads" section and so on.
    Not necessarily, use some imagination. Worth readings may be this topic and this recap post.
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi Elio, can policy based sandboxing of the browser prevent against XSS in any way? I think not!
     
  24. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    Of course it cannot, you're right.
    Sandboxing works around your browser: it controls the interaction of the browser with your local filesystem, and can be useful against malware installation.
    XSS happens all inside your browser, hence sandboxing can't do anything against it.
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks elio. I guessed so.
     
Loading...
Thread Status:
Not open for further replies.