How to deactivate NoScript remotely. Wtf?

Talk about internet security, computer security, personal security, your social security number...
Post Reply
d457509
Posts: 2
Joined: Sat Nov 06, 2010 1:10 pm

How to deactivate NoScript remotely. Wtf?

Post by d457509 »

Hi. Noob here. :?
No idea if this works or if it's just my imagination/paranoia:

The site wichal.com is a spammer/fishing site that wants you to fill out surveys in exchange for torrent passwords.
It's filled with ads and will complain loudly if you have adblock and/or noscript installed. Just try loading it in a sandboxed browser and you'll see what I mean.

But I was shocked to notice that some of the ad/spam scripts still worked under firefox. Even with noscript set to global deny!

I found out that it was because the site WAS SET AS "TRUSTED" IN NOSCRIPT!!!
That and the "leadbolt.net" domain!

I'm always in Global deny mode. So what's going on? Check this out:

Code: Select all

	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >

<head>

    <title>Your Code is displayed below!</title>

    

    <!--THIS IS THE ONLY LINE YOU NEED TO INCLUDE-->

    <script type="text/javascript">ap_loaded = false;</script>

<script type="text/javascript" src="http://ad.leadbolt.net/show_cu.js?section_id=43"></script>

<script type="text/javascript">if (!ap_loaded) { window.location = 'http://ad.leadbolt.net/adblock?section_id=43'; }</script>

<noscript><meta http-equiv="refresh" content="0;url='http://ad.leadbolt.net/noscript?section_id=43'" /></noscript>

    <!--THIS IS THE ONLY LINE YOU NEED TO INCLUDE-->

    

</head>

<body>

    <p align="center"><b><font face="Verdana" size="6">Your Code is displayed 

	below!</font></b></p>

    <h1 align="center"> </h1>

	<p align="center">

	<img border="0" src="Kirkirahtygd.gif" width="300" height="277"></p>

	<p align="center">

 </p>

	<p align="center"> </p>

	<p align="center"><b><font face="Verdana" size="5">Hope you enjoy the video!</font></b></p>

<p align="center"><b><font face="Verdana" size="5">Have a nice day :)</font></b></p>

<p align="center"> </p>

<p align="center"> </p>

	<p align="center"> </p>

</body>

</html>
This is the source code as dumped using opera (no extensions) of the main page "http://www.wichal.com/caninthun/"

Notice this line:

Code: Select all

<noscript><meta http-equiv="refresh" content="0;url='http://ad.leadbolt.net/noscript?section_id=43'" /></noscript>
That line, built into the page itself and not added by noscript, or any other plugin, appears to modify the noscript settings into letting scripts from that domain run as trusted.

Fortunately tweaking the options for trusted sites to have the same restrictions as untrusted sites seems to solve this problem.
The scripts from leadbolt.net try to load the main ads, and check for adblock and noscript.

So what's going on? Is noscript really being tricked into running blocked scripts? Am I wrong? Is this really what's happening?
Is this a feature in noscript that lets advertisers set themselves as trusted?
Is this a feature to let sites detect and deny noscript users?

Is this a known bug/exploit? What is going on?
Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.10 (maverick) Firefox/3.6.12 GTB7.1
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: How to deactivate NoScript remotely. Wtf?

Post by Giorgio Maone »

d457509 wrote:Is noscript really being tricked into running blocked scripts?
Nope.
d457509 wrote:Am I wrong?
Yep.
d457509 wrote:What is going on?
Are you sure you did not accidentally check NoScript Options|Allow top-level sites by default?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
d457509
Posts: 2
Joined: Sat Nov 06, 2010 1:10 pm

Re: How to deactivate NoScript remotely. Wtf?

Post by d457509 »

Giorgio Maone wrote:Are you sure you did not accidentally check NoScript Options|Allow top-level sites by default?
Yup I'm sure. That option is off.

But i DID forget to check "Forbid META redirections inside <noscript> elements"...

Would explain why

Code: Select all

ipt><meta http-equiv="refresh" content="0;url='http://ad.leadbolt.net/noscript?section_id=43'" /></noscri
loaded... :(
Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.10 (maverick) Firefox/3.6.12 GTB7.1
Post Reply