Re: [tor-talk] Self-deleting scripts in http connections

[Allen]

http://www.digitaltrends.com/computing/firefox-tor-vulnerability/

On Wed, Dec 21, 2016 at 3:09 PM, Joe Btfsplk  wrote:
>
>
> On 12/8/2016 7:10 AM, Jonathan Marquardt wrote:
>>
>>
>> Such an attacker could insert some JS or cookies etc. to track a user
>> around
>> the web or more dangerous attacks like stealing user data. The
>> possibilities
>> of JS are far-reaching. In the worst case scenario, JS can be used to
>> exploit
>> a user's device and gain priviliges within the OS. Such an attack has just
>> been discovered last month *on this mailing list right here.*
>
>
> Details?  Missed that memo.
> --
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Self-deleting scripts in http connections

[Joe Btfsplk]

On 12/8/2016 7:10 AM, Jonathan Marquardt wrote:


Such an attacker could insert some JS or cookies etc. to track a user around
the web or more dangerous attacks like stealing user data. The possibilities
of JS are far-reaching. In the worst case scenario, JS can be used to exploit
a user's device and gain priviliges within the OS. Such an attack has just
been discovered last month *on this mailing list right here.*


Details?  Missed that memo.
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Self-deleting scripts in http connections

[Jonathan Marquardt]

> This sequence of events got me thinking; the exit node queries servers on
> the behalf of the Tor Browser. Some sites simply cannot be connected to via
> HTTPS. Thus, the exit node must query the site requested in HTTP, which can
> be modified in transit. If done, what form of protections could a MitM do
> between the site and the exit node bypass by, say, inserting a CSS document
> that references an external JS script to force a query from the browser?

Such an attacker could insert some JS or cookies etc. to track a user around 
the web or more dangerous attacks like stealing user data. The possibilities 
of JS are far-reaching. In the worst case scenario, JS can be used to exploit 
a user's device and gain priviliges within the OS. Such an attack has just 
been discovered last month on this mailing list right here.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Self-deleting scripts in http connections

[Rythyrix]

My apologies for lateness, had to life and determine the source of this 
script.


A) I don't know the exit node I used in Tor, nor does it appear to be 
relevant, in this case, because


B) I apologize for being unclear before, I was using Firefox, not Tor 
Browser, and


C) Found the source of the script in question, turns out, it's added by 
an addon I had downloaded. Location Guard, available here:


https://addons.mozilla.org/en-US/firefox/addon/location-guard/

And source : https://github.com/chatziko/location-guard

I posted this to the tor-talk after someone on ZeroNet recommended I do so.

D) I cannot get this script to reproduce in Tor Browser, using either 
the Location Guard addon or any of the myriad JS injector addons 
available from the Firefox repo. Attempting to do so resulted in zero JS 
on the page.


This sequence of events got me thinking; the exit node queries servers 
on the behalf of the Tor Browser. Some sites simply cannot be connected 
to via HTTPS. Thus, the exit node must query the site requested in HTTP, 
which can be modified in transit. If done, what form of protections 
could a MitM do between the site and the exit node bypass by, say, 
inserting a CSS document that references an external JS script to force 
a query from the browser?


Again, apologies for being insufficiently clear, I was slightly 
panicking and thought it should be made known, just in case.

On 12/02/2016 10:47 PM, Jonathan Marquardt wrote:

On Fri, Dec 02, 2016 at 08:47:11PM -0800, Rythyrix wrote:

Greetings, all.

Recently, as I was browsing over to coppersurfer dot tk , I on a whim opened
up Firefox's Element Inspector (right click -> Inspect Element (Q)) .
Imagine my surprise when I find a script before the title tag. (see pastebin
HNqsDsq2 for sourcedump).

Given that I have NoScript, I needed to test it. Restarting with addons
disabled made the script not appear by the time I managed to open the
Element Inspector again. Given that Tor is based on Firefox, the ability for
a site to remotely delete a script from a client browser is worrying. Is
anyone willing to double check that this happens to more than just myself?

A concerned netizen.

(I don't want to post hyperlinks, lack of accidental clicks that way.)

There wasn't really anything remotely deleted here. You just reloaded the page
and the script was not sent again, right?

What's far more worrying however, is that the code you put on Pastebin doesn't
look like it belongs on this webpage. To me it looks like some code to track
your geolocation. Either the website itself or the Tor exit node (or perhaps
even some other attacker in the middle) tried to inject some code here, I
guess. When you restarted Tor Browser, you probably got a new curcuit for the
site and thus a new exit node.

Perhaps it's a good idea, to not disable the add-ons which are supposed to
protect you from malicous JavaScript code, if you just ran into some malicous
JavaScript code.

You don't just by a chance know, which exit node you used for that site when
you got the code, do you?


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Self-deleting scripts in http connections

[Jonathan Marquardt]

On Fri, Dec 02, 2016 at 08:47:11PM -0800, Rythyrix wrote:
> Greetings, all.
> 
> Recently, as I was browsing over to coppersurfer dot tk , I on a whim opened
> up Firefox's Element Inspector (right click -> Inspect Element (Q)) .
> Imagine my surprise when I find a script before the title tag. (see pastebin
> HNqsDsq2 for sourcedump).
> 
> Given that I have NoScript, I needed to test it. Restarting with addons
> disabled made the script not appear by the time I managed to open the
> Element Inspector again. Given that Tor is based on Firefox, the ability for
> a site to remotely delete a script from a client browser is worrying. Is
> anyone willing to double check that this happens to more than just myself?
> 
> A concerned netizen.
> 
> (I don't want to post hyperlinks, lack of accidental clicks that way.)

There wasn't really anything remotely deleted here. You just reloaded the page 
and the script was not sent again, right?

What's far more worrying however, is that the code you put on Pastebin doesn't 
look like it belongs on this webpage. To me it looks like some code to track 
your geolocation. Either the website itself or the Tor exit node (or perhaps 
even some other attacker in the middle) tried to inject some code here, I 
guess. When you restarted Tor Browser, you probably got a new curcuit for the 
site and thus a new exit node.

Perhaps it's a good idea, to not disable the add-ons which are supposed to 
protect you from malicous JavaScript code, if you just ran into some malicous 
JavaScript code.

You don't just by a chance know, which exit node you used for that site when 
you got the code, do you?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk