back to article Script-blocker NoScript lets in ANYTHING from googleapis.com

Detectify security researcher Linus Särud has reported a weakness in popular Firefox security tool NoScript that allows attackers to have their malware whitelisted. The tool is used by some two million security-and-privacy-conscious folk who want to stop active content like JavaScript and Flash getting a foothold in their …

  1. Anonymous Coward
    Anonymous Coward

    Chrome and uMatrix

    Throw in Adblock and Privacy Badger and you're set.

    Take out Chrome and use Lynx and you're really set.

    1. Ole Juul

      Re: Chrome and uMatrix

      " . . . use Lynx and you're really set."

      Use Lynx in DOS on bare metal and you're really, really set. (It works like a charm, by the way.)

      1. Thecowking

        Re: Chrome and uMatrix

        I'm running elinks in dash, I am probably already compromised :P

      2. Ralph B

        Re: Chrome and uMatrix

        Use wget and less. Can't be too paranoid.

        1. Anonymous Coward
          Anonymous Coward

          Re: Chrome and uMatrix

          wget has a huge history of security vulnerabilities. Real programmers browse the web with telnet.

          telnet www.cvedetails.com 80

          GET /vulnerability-list/vendor_id-72/product_id-332/GNU-Wget.html HTTP/1.0

          Host: www.cvedetails.com

          <Enter>

          For secure sites, instead of telnet use:

          openssl s_client -connect <hostname>:443

          1. Anonymous Coward
            Anonymous Coward

            Re: Chrome and uMatrix

            less also has a history of vulns; you should consider using more.

    2. Anonymous Coward
      Anonymous Coward

      Re: Chrome and uMatrix

      Would that be the Adblock that allows advertisers to buy their way in unless you go in and remove them?

      1. Anonymous Coward
        Anonymous Coward

        Re: Chrome and uMatrix

        "Would that be the Adblock that allows advertisers to buy their way in unless you go in and remove them?"

        No. There are multiple forks of Adblock.

  2. sabroni Silver badge
    Mushroom

    Googleapis.com

    If I was shipping a new build of an app I wouldn't include some untested third party binaries. You can't guarantee the performance of your code if you include random untested bits.

    So why do people link to Googleapis.com to get jquery or whatever instead of taking a known version and hosting it locally?

    1. Christoph

      Re: Googleapis.com

      "So why do people link to Googleapis.com to get jquery or whatever instead of taking a known version and hosting it locally?"

      Makes the page quicker to load. The Google copy is probably already in the cache from another site. Also avoids some maintenance hassle.

      1. Doctor_Wibble

        Re: Googleapis.com

        > Makes the page quicker to load. The Google copy is probably already in the cache from another site.

        Technically you may be right but the only reason I ever heard of googleapis in the first place was when it kept appearing in the 'waiting for...' bit of the browser status bar, just like every other site-slowing third party.

        If having a script in the cache makes such a difference then the script is too big, especially if we are now assuming everyone has at least some passing semblance of broadband. Well over half a meg of script for e.g. a supposedly 'lean' page tells me the definition of 'lean' is not what it used to be.

      2. sabroni Silver badge

        Re: Also avoids some maintenance hassle.

        Adding in untested updates saves maintenance hassle? I disagree. If you trust Google to never make a mistake then you're naive. But more importantly, if the script actually has problems in areas you use then you'll have worked round them. A fix to the underlying problem could break your work round. If the script has problems in areas you don't use why do you need the updates? You won't use them.

        So logically it's just for performance. There are much better ways of improving performance that don't involve trusting a third party with the core functionality of your app.

    2. Ocular Sinister

      Re: Googleapis.com

      You almost certainly do - unless you are writing directly to low level APIs you'll be using C runtime, MFC, C#, DirectX, ADO, ... all of which are third party binaries and all of which may be updated by an OS patch. Worse still, even if you do write directly to kernel/GDI APIs the entire OS may be upgraded!

      OSX and the Linux (not sure about BSD...) have ways to limit the ways that libraries can change, so this is mostly a problem on Windows, but still...

      1. sabroni Silver badge

        Re: Googleapis.com

        Not really the same thing though is it. Windows is platform for rich client apps, a browser is the platform for a web app. The interface between me and the platform is strictly defined and controlled and that's how I communicate with it. More to the point (about shipping code) I don't ship Windows with my rich client apps and I don't ship a browser with my web apps.

        So what are you saying? Google will keep the scripts updated in line with browser updates that break compatibility with older browser versions? That would actually be useful, though not breaking compatibility would be more useful. I'm still going to have to retest and potentially reship my app. I'd just do that with the latest library scripts.

      2. Ken Hagan Gold badge

        Re: Googleapis.com

        "you'll be using C runtime, MFC, C#, DirectX, ADO, ... all of which are third party binaries "

        Nit-pick. These aren't third-party binaries. Simply by booting up a closed source OS, you've already handed over the keys to the kingdom to your OS vendor and these are from the same source.

  3. Voland's right hand Silver badge

    It does not over here

    The one packaged by debian does not. It is not in the whitelist.

    That particular list entry can be a pain in the a*** as that is the download domain of the ajax libraries - most places pull it from source instead of having a local copy. As a result a large percentage of websites breaks pretty badly. As there is no 2nd level whitelisting (allow if pulled by this site), you end up whitelisting (very grudgingly) anyway.

  4. Anonymous Coward
    Thumb Up

    Ah, so I'm not paranoid after all

    I've been purging the Noscript Whitelist for quite a while, just in case, like. I just felt that Noscript should mean exactly that unless I decide otherwise.

    I feel a little bit vindicated now.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ah, so I'm not paranoid after all

      Same here. When I install it, the first thing I do is clear the whitelist.

      1. Someone_Somewhere

        Re: Ah, so I'm not paranoid after all

        > Same here. When I install it, the first thing I do is clear the whitelist.

        Ditto.

        In fact, I seem to recall being surprised the first time I saw the whitelist prepopulated.

        Which would seem to imply that:

        ai) there was once a time when it wasn't.

        aii) I am, therefore, an old bastard.

  5. Spacedinvader
    WTF?

    Google a piss?

    Not enabled here by default...make your own whitelist and default block everything unless something on a page doesn't work. Then you have the fun of working out which script out of the shit load of them you actually need.

  6. Pascal Monett Silver badge

    Just confirms that security is YOUR business

    I rechecked my whitelist options and no, nothing Google is in there anywhere.

    Whenever I do install NoScript, by default I remove the existing whitelist. There is no such thing as security if you don't know what you're allowing.

    NoScript is a tool, not a solution. Use it correctly and you're golden.

    1. Someone_Somewhere

      Re: Use it correctly and you're golden

      Especially if you use RequestPolicy/Continued.

      7/10 times, allowing the cdn (and possibly the *static) is enough to see everything I need to - no need to enable /any/ scripts!

      Chuck in DecentralEyes as well and you're sorted.

      I'm taking some sort of adblocker and a cookie manager (like Cookie Monster and BetterPrivacy) for granted of course.

  7. Destroy All Monsters Silver badge
    Trollface

    Matthew Bryant

    Any relation with our resident commentard Matt?

    (@IAmMandatory)

    Yes, probably.

  8. Mage Silver badge
    Devil

    Google

    I don't have anything from Google whitelisted.

    I check that themes and plugins for my websites don't load ANY 3rd party sites.

    by default GoogleAPIs is blocked

    1. Someone_Somewhere

      Re: Google

      Don't forget 'Remove Google Tracking For Copy' for those sites that include Google results.

  9. picturethis
    Pirate

    browser? adblock? whitelists?

    I guess they're okay, but I just add *.googleapis.com, google.com, etc. to my hosts file. I use other apps besides a browser.. I don't have to worry so much about whitelists. To do this on android though, I think you need to root the system, but I don't do android too much, so I don't know for sure.

    Of course I use startpage.com or duckduckgo for my searches, not google.com. I do occassionally (actually more than occasionally) run into sites that won't load - their loss (of revenue), not mine........ I just move onto the next site.

    1. Someone_Somewhere

      Re: browser? adblock? whitelists?

      > Of course I use startpage.com

      I prefer ixquick.eu myself

  10. Irongut

    Why would a tool for security-and-privacy-conscious folk whitelist Google APIs? Google are the third biggest threat to security and privacy on the internet after the NSA and Facebook.

    1. Someone_Somewhere

      Re: Google are the third biggest threat

      Actually I'd put them at least joint first with FB, if not outright first - thanks to Google, the NSA don't need to hack and track because Google have already done it /for/ them.

  11. AsherGoldbergstein

    "The researcher probed NoScript after fellow hacker Matthew Bryant (@IAmMandatory) found a host of disused default whitelisted domains and purchased one to successfully launch attacks that bypassed default installations."

    The researcher found one domain that was unused due to it being recommended by a user and it being a typo.

    http://thehackerblog.com/the-noscript-misnomer-why-should-i-trust-vjs-zendcdn-net/

    https://forums.informaction.com/viewtopic.php?f=10&t=17066

  12. sedrez

    Akamai

    And how about akamai.com/akamaihd.com? And other distributed services like AmazonWS?

    Any advice?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like