Google Patches Chrome Bug That Lets Attackers Steal Web Secrets Via Audio Or Video HTML Tags (bleepingcomputer.com) 14
An anonymous reader writes: "Google has patched a vulnerability in the Chrome browser that allows an attacker to retrieve sensitive information from other sites via audio or video HTML tags," reports Bleeping Computer. The attack breaks CORS -- Cross-Origin Resource Sharing, a browser security feature that prevents sites from loading resources from other websites -- and will attempt to load resources (some of which can reveal information about users) inside audio and video HTML tags. During tests, a researcher retrieved age and gender information from Facebook users, but another researcher says the bug can be also used to retrieve data from corporate backends or private APIs. Ron Masas, a security researcher with Imperva, first discovered and reported this issue to Google. The bug was fixed at the end of July with the release of Chrome v68.0.3440.75.
Browsers are too complicated and not robust enough (Score:2, Insightful)
Browsers are too complicated these days and things are not helped by the fact they were not designed with typical engineering discipline in mind.
For example, HTML parsers have a whole set of rules for how malformed input should be handled. There is only one acceptable answer and that is that malformed input should be rejected. That would force people to write correct HTML code (in the same way they are forced to write correct C++ or Python code) and would make parsing more robust.
Things are not helped by an
Re:Browsers are too complicated and not robust eno (Score:5, Insightful)
I propose a new standard for a secure internet markup and programming language engine. SIMPLE. If you want a 4-character file extension, you can go for SMPL.
It'll be secure because it says so right in the name of it.
It'll be for the internet because everything is for the internet, and if it's not someone will take it and put it on the internet anyway.
I'll be both for markup and programming, because apparently that's what we do now.
It'll be both a language and and engine, because we can't seem to separate a language's spec and a given implementation to parse, render, or execute it anymore, and JAVASCRIPT "FOR THE SERVER" IS A FUCKING THING FOR SOME REASON.
Here's the current draft spec:
1: To start off, fuck your encodings and your content types and your character sets. As much as I hate it, we're just gonna fucking use UTF-8 and if your shit don't render fuck you.
2: None of this shit where we allow broken files. If a file isn't properly formatted it is to be considered malicious and outright rejected with no processing. You'll put closing tags for fucking everything and you'll like it. No trailing slash for empty tags. Put a damned closing tag.
3: No fucking cross domain anything. I don't give a shit. If you want your users to see and work with shit from another domain, send them there or rehost that content yourself and take responsibility for it. If you want to read information about your users as seen/set by another domain, go fuck yourself.
4: No persistent cookies or whatever else. Your users can log in and get session cookies, but once the session is gone you're back to square one. If you want to remember shit about them, then fucking store that shit on your server and associate it with their user ID.
5: No god damn auto playing anything without the user's explicit and specific active choice to do that.
6: At no time will a SIMPLE browser expose anything about its user other than what URL the user is requesting, what data the user is actively choosing to submit, and what minimal data the user is implicitly submitting in order maintain a coherent session across requests. No fucking battery API. No fucking list of plugins. No fucking advertising IDs.
8: Other than that it's basically XHTML and oh, let's say ActionScript.
Re: (Score:2, Insightful)
You forgot:
9: No API for pop-up, pop-over or pop-under. It is on the page, or it doesn't exist. (popups are a very bad user interface in general - and not needed on the web.) Need to show an ad? Put it on the page somewhere.
10: No API for moving the mouse cursor position. Having that is evil - I have seen abuses but never ever an occation where this did anything useful. Shouldn't be hard - there aren't cursors on touch-only things anyway, pages must already work without this capability. A mouse cursor onl
Re: (Score:1)
Step 1. Fork Firefox
Step 2. Alter it to treat every web page according to your rules.
Step 3. Make your new browser the most popular one (because it's secure).
Step 4. Watch as all broken sites get fixed to work with your popular browser.
Step 5. Profit.
Don't get distracted by developmental methodology. (Score:2)
What you need is software freedom: the freedom to run, inspect, share, and modify published computer software. Developmental methodology won't get you the provable security of free software and it won't necessarily get you the freedom to make your computer do what you want it to do by following your instructions.
It would be possible to come up with a browser that worked as you described but was proprietary. Such a browser would be as untrustworthy as other proprietary malware proves to be [gnu.org] (not just Google's