Mastodawn

back in 2022 i found a bug that would let me, with no user interaction, turn any chromium-based browser into a permanent js botnet member

in edge, you wouldn't even notice anything out-of-place, and would stay connected to the c2 even after closing the browser

today, almost 4 years later, the bug is finally public:
https://issues.chromium.org/issues/40062121

Show thread

Rebane 1d ago

OH NO I JUST REALIZED THIS IS NOT ACTUALLY PROPERLY FIXED AND STILL WORKS 💀💀

Show thread

Rebane 1d ago

even worse, edge no longer even makes the download menu pop up, so it's completely silent js rce that keeps running even after you close the browser !!

all from just visiting a single website once !!

Show thread

cR0w 1d ago

@rebane2001 I've got a dumb question: Is this something that can be mitigated with a uBlock filter? It reads like it could be but I don't know this stuff well.

@cR0w no

@rebane2001 @cR0w Didn't try, but in theory, full (Manifest v2) uBO should be able to inject a CSP policy that sets worker-src 'none';

https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#csp

Probably something like
||$csp=worker-src 'none'
to disable service workers everywhere?

Show thread

Alexander Bochmann 1d ago

@rebane2001 @cR0w (I assume using it like that might break extensions that use service workers? Can an extension inject CSP headers into a different extension? No idea.)

Anyways, turns out someone wrote up exactly that at some point: https://bonina.eu/web/disable-service-workers-chromium-browsers/

How to disable Service Workers on Chromium based browsers through uBlock · bonina.eu

Service Workers may pose risks, with the next steps we can effectively disable them.