Home > All, Security Issues > NoScript and hijacked trustworthy websites (such as TechCrunch and SongLyrics)

NoScript and hijacked trustworthy websites (such as TechCrunch and SongLyrics)

September 23, 2010 Leave a comment Go to comments

Last week, Qualys’ CTO Wolfgang Kandek told me that the “modern attacker has decided that the easiest thing to do is to attack the website that the user is going to visit rather than setting up special malicious sites and trying to drive users to them.” (The Top Cyber Security Risks Report) I found this quite disturbing because it makes me wonder if I am actually as safe on the internet as I had always thought I am.

You see, I use Firefox and NoScript. And NoScript will stop any script at all, whether benign or malicious, running in Firefox – unless I temporarily or permanently whitelist the page in question. This has to be a good thing. It means that when I visit a site and nothing much happens, I am forced to ask myself: do I trust this site? If I do, I can whitelist it and get the full experience. If I don’t, I can just move on confident that nothing untoward has happened.

But that was before Kandek’s comment. This sounds like a game-changer. If the bad guys compromise a good site, when I ask myself ‘do I trust this site’ I will probably say yes. And if the site in question was either TechCrunch or SongLyrics (two good sites recently hacked), I might have whitelisted a site that had been compromised.

Giorgio Maone

Giorgio Maone - developer of NoScript

Does this mean, I had to ask myself, that NoScript is no longer as useful as I thought? Well, who better to really ask than NoScript’s developer, Giorgio Maone. “Had I visited TechCrunch a couple of weeks ago, even with NoScript, would I now be infected?” I asked him.

“No, you would not,” he replied. “The TechCrunch network was compromised by exploiting its SQL injection vulnerabilities, just like 99% of all of today’s website attacks. Exploitations of this kind are subject to constraints like the size of the injected payload and the impossibility of storing files on the “infected” web sites. Therefore, the malicious JavaScript code that actually gets embedded in the TechCrunch site (or in any other compromised site that’s on your whitelist) is just a very small bootstrap meant to load the “true” payload from an external website (usually a disposable Chinese or Russian domain) that is in the full control of the attacker. This domain, quite obviously, is very unlikely to be in your whitelist.”

In other words, even when TechCrunch was compromised, it was not TC that was dangerous, it was the site that was linked – let’s call it GetHackedHere.ru – that was dangerous. And so long as you don’t whitelist GetHackedHere.ru, then NoScript will continue to keep you pretty safe.

But Maone didn’t stop there. Did you know, he asked, “that middle-clicking on site names shown in the NoScript menu opens a tab where a few tools are linked, giving information on that site?” I didn’t, so I tried it on TechCrunch. It gave me four options: the WOT Scorecard, the McAfee SiteAdvisor Rating, the Webmaster Tips Site Information, and Google’s Safe Browsing Diagnostic.

NoScript

NoScript: security & privacy menu when you middle-click...

I clicked the last.

Google diagnostics

Google Diagnostics for TechCrunch

In the last 90 days, 58 pages on techcrunch.com have been compromised – although nothing since 6 September. But note that, confirming Maone’s comments, the actual malware was hosted on virtuellvorun.org, not on TechCrunch. So NoScript users would have remained protected even if they had whitelisted the compromised TechCrunch because NoScript would have disallowed any scripts from the still blacklisted virtuellvorun site.

I’m not quite as smug as I used to be – but I’m just as well protected by NoScript as I ever was. And I can and do wholeheartedly still recommend Firefox and NoScript to anyone who wants to stay safe on the Internet.

NoScript download (for Firefox users)

Categories: All, Security Issues
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s