back in 2022 i found a bug that would let me, with no user interaction, turn any chromium-based browser into a permanent js botnet member
in edge, you wouldn't even notice anything out-of-place, and would stay connected to the c2 even after closing the browser
today, almost 4 years later, the bug is finally public:
https://issues.chromium.org/issues/40062121
even worse, edge no longer even makes the download menu pop up, so it's completely silent js rce that keeps running even after you close the browser !!
all from just visiting a single website once !!
@SamantazFox out of curiosity, where? the archive.org captures don't load for me
edit: ty :)
@Lenni @rebane2001 @SamantazFox
Archive.today is rolling out Google's QR reCaptcha as well paired with altering snapshots, seems like potential vector for a bad time.
@milagemayvary @Lenni @rebane2001 @SamantazFox
archive.org has already scrubbed archives of incriminating words by sex offenders like Andrew Tate, Vitalik Butterin, and a DOGE staffer, so really, who can I wing for?
@PuppyFromLosAndes @Lenni @rebane2001 @SamantazFox
I assume we're speaking of Kiwi Farms?
Is it scrubbed from archive.org, or is it present for research purposes?
I would assume they have kept the data, I think they would respond to a subpoena with the snapshot.
After about 10 minutes of searching, I'm not entirely sure if archive.today has been used as admissable evidence in a court room let alone successfully.
IANAL, I feel like this is a legal quagmire & legally safer to exclude?
@Viss @rebane2001 it's mentioned in an Ars Technica article that Vivaldi is also vulnerable.
>Other browsers Rebans confirmed as vulnerable include Brave, Opera, Vivaldi, and Arc.
@rebane2001 Is it the same as this one?
Attached: 1 image Apparently Microsoft don’t understand how the Fediverse works, and want me to delete the parody account @[email protected] 🤣🫡
@rebane2001 @cR0w Didn't try, but in theory, full (Manifest v2) uBO should be able to inject a CSP policy that sets worker-src 'none';
https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#csp
Probably something like
||$csp=worker-src 'none'
to disable service workers everywhere?
@rebane2001 @cR0w (I assume using it like that might break extensions that use service workers? Can an extension inject CSP headers into a different extension? No idea.)
Anyways, turns out someone wrote up exactly that at some point: https://bonina.eu/web/disable-service-workers-chromium-browsers/
@rebane2001
oooof, thats not good😬
3,5 years...
sent from my firefox
i second this, sent from my epiphany
Pfffrrrrsssshhh.
Even the "most secure web browser" ends up being just as incompetent as the rest.
Rebane
Mathaetaes
Alesandro Ortiz 🇵🇷🏳️🌈
Ratsnake
Samantaz Fox
Lenni 
🖖
milagemayvary
River, Cachorrín de Los Andes
ftg
Shravan Ravi Narayan
Viss
Sean
yoasif
jtb
Anton 🇺🇦🇪🇺
Kotsune
Henry
Ed
Bob K Mertz 
cR0w
Grande gnome Gertrude
Alexander Bochmann
TagHunt
Skyr
Eldeberen
chebra
RoboMWM
�
zyxhere💭
Regalia 
74ミ [angelspit] 
Interpipes 💙
gürkan �’ :catlong_head_left::catlong_h::catlong_end_right:
Sylvhem
Cyril Brulebois
firekeeper
aeva
cancel
FOSS-Daily!