Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | Firefox, Opera allow crooks to hide an entire phish site "A shortcoming in browsers including Firefox and Opera allows crooks to easily hide an entire malicious web page in a clickable link - ideal for fooling victims into handing over passwords and other sensitive info.....the malicious web pages can be stored in data URIs - uniform resource identifiers, not to be confused with URLs - which stuff the web code into a handy string that when clicked on, instructs the browser to unpack the payload and present it as a page.
It negates the need to find somewhere to secrete your malicious page, and once shortened using a service such as TinyURL, the URI can be reduced to a small URL perfect for passing around social networks, online chats and email. .....
Google’s Chrome browser blocks redirection to data URIs, and other browsers have limits on the volume of data that can be packed into URIs. Klevjer created a 26KB attack page that failed to load in Internet Explorer, but worked on both Firefox and Opera."
Sounds nasty. I would assume Sea Monkey is also vulnerable. Just another reason to be leery of shortened URLs.
»www.theregister.co.uk/2012/09/03···s_peril/
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
| I wrote a simple Proxomitron filter for this. It removes 'data:' and 'data_uri' from webpage code. It may neuter the described vulnerabilities.
Not sure yet if it's too broad, or effective in all cases, or will break pages.
Am testing it now.
Name = "Remove Data URI [12.08.04]"
Active = TRUE
Limit = 8
Match = "(data:|data_uri)"
|
|
 StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2
 ·CenturyLink
| reply to Mele20
said by Mele20:"...and once shortened using a service such as TinyURL..."
Which is why I avoid TinyURL and clicking on their links.
And no I can't be bothered trying to figure out the actual URL even if it is possible.
--
Don't feed trolls--it only makes them grow! |
|
|
|
| reply to FF4m3
My above filter is targeting too broadly with negative impact at some sites. I've removed it from my config. |
|
 therube
join:2004-11-11
Randallstown, MD
4 edits | reply to Mele20
> I would assume SeaMonkey is also vulnerable
Sure, why not  .
Now this phish site, is it hosted on a foreign domain? Does it require Javascript?
Well then.
And in addition to Proxo, what else knows to check for & help protect against data: URI, including blocking, by default, both javascript: & data: URI typed into the address bar?
(I either couldn't get his sample code to work, it simply seemed to bring up a wikiMedia page, or didn't understand what it was supposed to do?)
OK, got it.
It brings up a "phish" site, wikimedia, which was made to look like wikipedia.
Here is the sample code, the same, just a bit easier to get to, »pastebin.com/pdkzuPjJ.
Oh, & do note that data: URI are perfectly legitimate. |
|
 AVDRespice, Adspice, ProspicePremium
join:2003-02-06
Onion, NJ
kudos:1 | reply to Mele20
why only Ff and Opera? |
|
| said by AVD:why only Ff and Opera?
Because IE and Chrome limit the amount of data you can pack into a data URI. Firefox and Opera don't have limits.
Note: this is not an overflow vulnerability. This is a "feature" that is being taken advantage of.
--
less talk, more music |
|
 BlackbirdBuilt for SpeedPremium
join:2005-01-14
Fort Wayne, IN
kudos:3
·Frontier Communi..
| reply to Mele20
Ctrl Alt Del  is right. The discussion about this in a thread over in Opera's security forum The Register outs Opera & Firefox can be summarized:
The data URI scheme has been an official standard since 1998 and is supported by all browsers, at least to some extent. IE and chrome restrict or block some aspects of its behavior, but other browsers do not. (Data URI scheme) In Opera, the address bar will always show the relevant URI address as a URI (and does not show a badge, as do normal URLs); the link tooltip will show that it's a data URI. Simply restricting the length of data URIs would not accomplish what one might expect, since one could merely create a container for the data URI and load the other elements from external hosts like URL shorteners. Bottom line: the Register article describes a malicious use of a standard that is supposed to work this way, but if one knows how to use their browser and understands the information it provides, they should not be deceived.
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775 |
|
AVDRespice, Adspice, ProspicePremium
join:2003-02-06
Onion, NJ
kudos:1 | said by Blackbird:the Register article describes a malicious use of a standard that is supposed to work this way, but if one knows how to use their browser and understands the information it provides, they should not be deceived.
PBCAK
--
--Standard disclaimers apply.-- |
|
therube
join:2004-11-11
Randallstown, MD | Not really.
If you happen to see it, maybe you'd want to be more suspect, but just because there exists a data: URI does not mean that it is nefarious.
Further if it is embedded in the web page code, you're not going to know it is there in any case, expect again, if you happen to note the URI on a mouseover.
And then if it is a "trusted" site that has been hacked, with the code embedded, loaded into an IFRAME or the like ...
It is really no different from any or type of URI only that one is more readily readable (understandable by you and I) then the other. |
|
therube
join:2004-11-11
Randallstown, MD | reply to Mele20
MSDN: data Protocol
DMO: data URIs |
|
| reply to Mele20
looking at the webpage that "therube" posted a link to, »developer.mozilla.org/en-US/docs/data_URIs , i saw the code "data:text/html,%3Ch1%3EHello%2C%20World!%3C%2Fh1%3E".. i tried putting that in my browser's address bar and got what is shown in the image..
it looks like, if you are using "firefox" with the "noscript" addon, you are protected against the "URI" thing.. |
|
therube
join:2004-11-11
Randallstown, MD
1 edit | quote:
data: URI typed into the address bar
(Note that in SeaMonkey / NoScript, there is some sort of bug, in that you needn't actually change the specified Pref. All you need to do is to open about:config, & that alone is enough to allow data: URI.)
& NoScript offers [XSS] data: URI detection.
& whatever this is:
+ More flexible noscript.forbidXBL about:config preference:
0 - allow all XBL
1 - allow trusted and data: (Fx 3) XBL on any site
2 - allow trusted and data: (Fx 3) XBL on trusted sites
3 - allow only trusted XBL on trusted sites
4 - allow only trusted XBL from the same site or chrome (default)
5 - allow only chrome XBL
|
|
| reply to Mele20
I've always tried to stay away from the shortened url/uri's. To me it always seemed another proxy/server to go through and I'm glad I did. |
|
| reply to therube
said by therube:& whatever this is:
[code]
+ More flexible noscript.forbidXBL about:config preference: XBL (XML Binding Language) |
|
| reply to Mele20
said by Mele20:"A shortcoming in browsers including Firefox and Opera allows crooks to easily hide an entire malicious web page in a clickable link - ideal for fooling victims into handing over passwords and other sensitive info.....the malicious web pages can be stored in data URIs - uniform resource identifiers, not to be confused with URLs - which stuff the web code into a handy string that when clicked on, instructs the browser to unpack the payload and present it as a page.  That's too bad. Hopefully, I use Google Chrome most. Google Chrome is my default browser. But I still have firefox and opera on my PC. Sometime I take firefox to visit specific website.  too bad. |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to redwolfe_98
said by redwolfe_98:looking at the webpage that "therube" posted a link to, »developer.mozilla.org/en-US/docs/data_URIs , i saw the code "data:text/html,%3Ch1%3EHello%2C%20World!%3C%2Fh1%3E".. i tried putting that in my browser's address bar and got what is shown in the image..
it looks like, if you are using "firefox" with the "noscript" addon, you are protected against the "URI" thing..
I put that in Fx address bar and got a page that said "Hello, World". I don't use No Script.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to Blackbird
I see the Opera thread got locked. Why? I wanted to ask the poster who mentioned a "badge" in the address bar about it. What is he talking about? There is no badge in an address bar. Opera does put a stupid star at the right end of the address bar but that is all. BEFORE the address bar (adjacent on the left side) is a lock for secure sites and a strange looking gray ball for all other sites. No more favicons for sites which is one reason I seldom use Opera these days.
But a badge?? Where? He says a "normal" URL shows a badge? I sure can't see a badge just as I can no longer see a favicon for the site. By "badge" does he perchance mean the strange looking gray ball that has replaced all favicons and more or less ruined Opera?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
BlackbirdBuilt for SpeedPremium
join:2005-01-14
Fort Wayne, IN
kudos:3 Reviews:
·Frontier Communi..
| said by Mele20:I see the Opera thread got locked. Why?... Two reasons: first, the thread title wording did not describe a specific problem within Opera (it probably should have been worded along the lines of "URI exploitation vulnerability in Opera?"). This is a significant mod concern in forums like Opera's where virtually all the problem-solving is done by volunteer users who only want to enter a thread where they feel they have expertise in that area (or are having similar problems). Opera does have "lounge" forums for opinions or general discussion of Opera (or anything else,for that matter). Second, the problem was not deemed by the mod to be an Opera security/privacy problem (as explained in his post near the end of that thread, and the category of the forum in which the thread appeared). Because the URI performance within Opera (and many other browsers) fully meets the 1998 data URI standards, the problem (if any) exists as a standards problem, not a browser problem. That two other browser flavors limit the full implementation of that standard is a choice those designers have made (and not necessarily for the security question at hand). But Opera generally attempts to fully implement all the Internet/coding standards it can, and it probably believes this kind of issue should be addressed by the standards committee involved. Unilaterally choosing not to fully meet standards (even over a security issue) has all manner of implications with regard to breaking legitimate site code.
said by Mele20:... I wanted to ask the poster who mentioned a "badge" in the address bar about it. What is he talking about? There is no badge in an address bar. ... BEFORE the address bar (adjacent on the left side) is a lock for secure sites and a strange looking gray ball for all other sites. ... But a badge?? Where? He says a "normal" URL shows a badge? I sure can't see a badge just as I can no longer see a favicon for the site. By "badge" does he perchance mean the strange looking gray ball that has replaced all favicons and more or less ruined Opera?
Indeed, the badge is the "gray ball" icon (which is actually a small, blue earth-globe) which appears when the text in the address bar is a legitimately-formatted "http" URL. If the URL is secure (https), a greenish lock icon will appear there. If the URL is something Opera is processing as code (such as a URI), a red Opera icon will appear there. This is what Opera terms a "badge", and it tells the user the nature of the page being displayed on his screen.
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775 |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4
1 edit | That was a good explanation of why the thread was locked and I agree it could have had a better title for the forum that was chosen to post it in or it could have been posted in a more general Opera "opinion" discussion forum.
As to the badge, first off Opera needs to understand that a LOT of us do NOT have the cloud crap turned on and never will. So, I will never see anything "badge" wise except a strange looking ball or a gold or green background for the "badge" on ssl sites along with an "evil" black lock (should be gold if not evil). I do NOT see a warning red Opera icon with a URI and I don't see a dark, blue gray folder when a file from my computer is being displayed. All I see is, to be very precise, a MINT GREEN ball that has three gray dots inside it. My Opera theme is Standard but it correctly defaults to my Windows theme colors so if I change my Windows theme then Opera colors will change and I might see a bright red ball instead of mint green depending on my new Windows theme. My point being that Opera's crap about the colors in the address bar is just that UTTER CRAP. I have five other Opera themes besides standard and they don't use my Windows theme colors. I just tested every one of them and Opera is completely wrong with that color scheme they have in their new, extremely confusing to use, Help file for Opera 12. The colors for the badge change based on the THEME you use. The color of the ball and the background to the ball is dependent on the Theme used and the other badges are not there except the locks which are too small and should not be black as it is hard to tell at a glance if they are closed or open. They should be gold and taller. They are a funny too wide shape in the Opera Help file. On my monitor they are taller and not distorted looking like in the help file but they are too small for black color.
You don't happen to know if Opera has an extension that will add back the gold lock to the right end of the the address bar which shows black and unlocked if bad (and to the status bar) do you? I have such an extension for Fx and Sea Monkey and it is a godsend.
The Trusted site junk is crap also. Opera is NOT IE and should not imitate it. I have always hated that crap in IE regarding internet sites, trusted sites, and restricted sites. Utter stupidity. They are all internet sites and I never used Trusted or Restricted when I had to use IE (except when the only way to be able to access a site was to put it in trusted and almost ALL sites were like that...so what a joke "trusted" is in IE). I wouldn't give "trusted" sites more trust than other internet sites...all can be infected and compromised! Opera says the Trusted sites will be in the Trusted list and will show as Trusted sites by the badge next to the URL. BS. I have not put any sites in Trusted. Yet, when I looked at the list something had put Microsoft site into the Trusted list but it is not on the list (only 4 Opera sites are on the list and they should not be). NO site should EVER be trusted for immediate, without warning, downloads. Good heavens, Opera! That is very bad security. Plus, Opera should not be encouraging users to place sites in that list. It is bad security.
Microsoft live login site got invisibly in the Trusted sites list I assume because it is a "verified" site.
Now I am really angered. I just tried to remove those four sites that Opera placed in the Trusted sites. I can't do it. At least not from Preferences/Advanced/Trusted Websites. I want Trusted Websites to be turned OFF PERMANENTLY. Do you happen to know how I can do that? I do not want any website to be allowed to download without my EXPRESS PERMISSION EACH TIME!
Edit: Why the gross inconsistencies in that badge area? Certain Opera sites actually show the Opera favicon there. On other Opera sites there is no round ball or ANYTHING there! The badge area is BLANK. Then there is the related problems of many favicons NOT showing on the tab bar in Opera 12. They are just BLANKS. The only way to navigate is to use the mouse to see the tab thumbnail on hover. Even Dell site no longer has favicons on Opera tabs.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
