[INVALID] Twitter.com/twimg.com: got a script past NoScript

[EdHynanNotRegi]

Loaded twitter.com and it managed to get (an obnoxious) script executed.

Env:
- Firefox 25 on Ubuntu 12.04, recently updated from package system. NoScript is, and has been, installed from mozilla extensions system, for years; current version 2.6.8.4.
- NoScript options are default, a small set of domains are allowed but NOT twitter.com or twimg.com.
- Firefox running with (currently) 14 windows, each with many tabs; FFox is restarted only as needed, that is, rarely; session restore is used.

Event:
- I do not think I had *ever* visited twitter.com before
- Entered twitter.com in address bar, page loaded -- with warning that twitter uses heavy JS
- After a few seconds a new rectangle with text and a button appeared at upper right corner: the delay surprised me since scripts should be blocked.
- Next I found that the same new elements that appeared on the twitter page were present in *every* firefox window, only on the foreground (selected) tab.
- Checked "view source" vs. "view generated source": the last element delivered with the page -- *after*

Code: Select all

</html>

-- is a script with the async attribute:

Code: Select all

<script src="https://abs.twimg.com/c/swift/en/init.4119a754be6560a20b7bca78e45c729dfae6dbb1.js" async></script>

- In 'generated' source, after that script element, a set of

Code: Select all

<div>

appear that contain the elements that appear in the upper right corner.
- Saved page with FFox right-click "Save page as": in *_files directory, found init.js, exactly same as wget of script URL quoted above, size 319843 bytes.

Clearly, Twitter got a script past NoScript, made it execute and get those elements added to DOM; as for their appearance in all windows, that seems *really* bad -- certainly not the behavior I want to see in my browser. I mentioned above a few seconds delay -- which could be trivially implemented on the server -- could this delay along with the async attribute exploit a timing hole?

I assume that this is something NoScript would want to prevent; I hope it will in the future.

-- Ed

[barbaz]

Confirmed that this can happen. I didn't like the sound of this so I went to a forbidden page (forbid mozilla.org and go to http://www.mozilla.org/en-US/book/) and executed the following code through Firebug:

Code: Select all

document.write("<script async>alert(\"Cuckoo\");</script>");

The alert happened without allowing the site , and the page went completely blank.
On the NoScript menu was only Forbid http://www.mozilla.org
I tested this also on Ubuntu 12.04, with official Mozilla build of SeaMonkey 2.22b2 and NS 2.6.8.5rc1.
This seems like a critical bug, not malware on the OP's system... please fix this so that we can have our sense of security back. Thanks

[EdHynanNotRegi]

Confirmed that this can happen.

Thanks for confirming.

This seems like a critical bug,

++

--Ed

[Giorgio Maone]

Sorry, I cannot reproduce.
Here's my contrived test case:
http://maone.net/test/async.html

Code: Select all

<!DOCTYPE html>
<body>
Async test
</body>
<script async>alert("Cuckoo")</script>
<script src="http://evil.hackademix.net/a.js" async></script>

http://evil.hackademix.net/a.js

Code: Select all

alert("Hi from " + document.URL)

Neither alert is show if both maone.net and evil.hackademix.net are forbidden (as expected).
No alert is shown either if only evil.hackademix.net is allowed (as expected).
Both alerts are shown if I allow both maone.net and evil.hackademix.net (as expected).
Only "Cuckoo" is shown as soon as I allow maone.net only (as expected).
There's no way to show only "Hi from http://maone.net/test/async.html" (as expected).

@EdHynanNotRegi:
Are you using any other extension beside NoScript? If so, does the problem persist if you disable them all?
Also, can you reliably reproduce it?
What the additional content look like, exactly?

Next I found that the same new elements that appeared on the twitter page were present in *every* firefox window, only on the foreground (selected) tab.

Do you mean on pages which were not Twitter-related? Again, what was the additional content, exactly? It really seems to be injected by something else (another browser extension?) rather than by a Twitter script...

@barbaz:
Your Firebug-based PoC doesn't tell us much, because Firefbug console code is executed through a sandbox which purposely bypass normal content script permissions.

[barbaz]

Test case works as expected here - the script is blocked. I had not realized that <script> nodes injected by Firebug would be allowed to execute on forbidden pages. Tried Scriptish instead in a variety of ways and NS consistently did its job there. Sorry about the false alarm.

[EdHynanNotRegi]

The is *NOT* a problem with NoScript -- I was wrong to conclude it was.

Sorry for raising alarm here.

The event I described turns out to be spam from another Firefox extension, "Flash Video Downloader", which has earned removal.

Sorry for wasting your time.

- Ed