[INVALID] javascript executed-noscript or firefox defeated?!

[johnshaft]

i tested out this email testing service

https://emailprivacytester.com

when i got the email, clicked one of the links it claimed to have executed javascript in my browser (Firefox nightly 28)

alert('I\'ve managed to execute javascript in your browser. That is probably a very bad security hole. Please contact me using the contact link on emailprivacytester.com so I can help sort it out.')

my noscript settings

temporarily allow ZERO scripts

explanation

https://emailprivacytester.com/test/script_in_script

thoughts ?

[barbaz]

How are you accessing your email? In particular, are you using webmail on a script-allowed site?
If so, this sounds like more an issue with your webmail service than NoScript not doing its job...

Anyway, when that alert is open, what is listed in the NoScript menu?

[johnshaft]

How are you accessing your email? In particular, are you using webmail on a script-allowed site?
If so, this sounds like more an issue with your webmail service than NoScript not doing its job...

it doesn't matter - i load the link in my browser
no webmail
webmail would have a different domain anyway

Anyway, when that alert is open, what is listed in the NoScript menu?

hovering over noscript shows it blocked scripts from the domain of emailprivacytester.com
when you load a new tab it shows this domain for recently blocked sites

the question is - did it *really* run js and how do we know ?

curiously i emailed the dev of the site, hopefully he replies

[barbaz]

Yes it really ran JS, and we know because you got that alert. AFAIK static HTML can't do that.
If you get an answer, please let us know what he says.

[Giorgio Maone]

How are you accessing your email? In particular, are you using webmail on a script-allowed site?
If so, this sounds like more an issue with your webmail service than NoScript not doing its job...

it doesn't matter - i load the link in my browser

It does matter.
The JavaScript code is executed in the context of the email message you've opened.
So the way you're reading your email is of paramount importance to understand why and how the script got executed.
BTW, which "link" are you talking about, exactly?

[Giorgio Maone]

Ooops, I suspect the OP didn't even actually see any alert window in his browser.
Might he just see the message in his webmail / desktop client, containing the following line (verbatim)

Code: Select all

ript type="text/javascript" src="https://emailprivacytester.com/cb/38b71b098cac43ff/script_in_script">ript> 

and clicked on the https:// "link" above, which results in Firefox showing its content:

Code: Select all

alert('I\'ve managed to execute javascript in your browser. That is probably a very bad security hole. Please contact me using the contact link on emailprivacytester.com so I can help sort it out.')

?
If this is the case (as I strongly suspect), no JavaScript at all got executed ever in the whole process, and we're just looking at another instance of a well-intentioned security "education" attempt causing more confusion than else.

[johnshaft]

in my case the link is

https://emailprivacytester.com/cb/ad4b0 ... _in_script

in the context of the email opened in thunderbird, this link was the last one in the body and here's what it looks like when viewing plain text email

Email Privacy Tester

You are receiving this email because somebody at IP address 202.85.227.146
entered the email address shmick@riseup.net <mailto:shmick@riseup.net> into the
form at https://emailprivacytester.com/

If this was not you, and you wish to not receive emails from this system in
future, please visit my opt out page
<https://emailprivacytester.com/optout?e ... riseup.net>. Please don't
mark this email as spam as it may cause difficulties for people using the Email
Privacy Tester in future.

If you *were* the person to submit the form, and you want to look at the results
page, please click here <https://emailprivacytester.com/5ccc01ffcc6e84d8>.

Please ignore anything after this line as it will probably just look like
gibberish.

<http://ad4b017228699672.anchor-test.ept ... ester.com/>

ript type="text/javascript"
src="https://emailprivacytester.com/cb/ad4b0 ... ript">ript>

the dev responded:

That is a piece of javascript that would have opened
a popup alert containing that message if there was a problem.

i don't quite follow if he means the js is executed by the email client to open a popup window or if it opens a link in the web browser

[Giorgio Maone]

the dev responded:

That is a piece of javascript that would have opened
a popup alert containing that message if there was a problem.

i don't quite follow if he means the js is executed by the email client to open a popup window or if it opens a link in the web browser

What he means is that he's testing for vulnerabilities in your email client (either desktop or web-based) and one of the problems it tests for is the ability of the sender to execute JavaScript in the aforementioned mail client: therefore the popup, if the problem existed, should have been spawned by Thunderbird in your case (impossible, because JavaScript is disabled by default in Thunderbird's email message viewer docshells).

[johnshaft]

ok that is good know Re email client

but in the context of the browser ?
did js execute ?
after all its just a link, like any other, isn't it ?

[Giorgio Maone]

ok that is good know Re email client

but in the context of the browser ?
did js execute ?

No it didn't: you just saw the source code, not its output (an alert popup).

after all its just a link, like any other, isn't it ?

Yes, you just opened a link (even though it was meant to be parsed as a script inclusion, which Thunderbird correctly refused to do).