MarioNet browser attack

General discussion and chat (archived)
John connor
Banned user
Banned user
Posts: 1492
Joined: 2015-01-21, 05:06

MarioNet browser attack

Post by John connor » 2019-02-26, 05:40

Academics from Greece have devised a new browser-based attack that can allow hackers to run malicious code inside users' browsers even after users have closed or navigated away from the web page on which they got infected. This new attack, called MarioNet, opens the door for assembling giant botnets from users' browsers. These botnets can be used for in-browser crypto-mining (cryptojacking), DDoS attacks, malicious files hosting/sharing, distributed password cracking, creating proxy networks, advertising click-fraud, and traffic stats boosting, researchers said.
https://www.zdnet.com/article/new-brows ... -web-page/

Is Pale Moon vulnerable?

I use Sandboxe so I gotta wonder if it'd stick?

User avatar
Nigaikaze
Board Warrior
Board Warrior
Posts: 1146
Joined: 2014-02-02, 22:15
Location: Chicago, IL, USA

Re: MarioNet browser attack

Post by Nigaikaze » 2019-02-26, 05:46

F22 Simpilot wrote:Is Pale Moon vulnerable?
Since that attack appears to be based on Service Workers, do a forum search for that phrase and it will answer your question.
Nichi nichi kore ko jitsu = Every day is a good day.

User avatar
karlchen
Hobby Astronomer
Hobby Astronomer
Posts: 25
Joined: 2019-01-16, 15:55

Re: MarioNet browser attack

Post by karlchen » 2019-02-26, 08:40

I assume that the recommended search should return this very clear statement by Moonchild on top of the list:
Moonchild wrote:About Push in Pale Moon:
https://www.palemoon.org/info-url/push.shtml

Service workers in Pale Moon:
Service workers are a terrible idea, unless you actually enjoy the idea of having your browser do stuff "in the background" that you have absolutely no control over.
We have no plans whatsoever to implement or enable this, because it's a privacy and security nightmare.
As a consequence, the answer to the question
F22 Simpilot wrote:Is Pale Moon vulnerable?
should be, "No, it is not, because Pale Moon does not support Service Workers."

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29334
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: MarioNet browser attack

Post by Moonchild » 2019-02-26, 09:13

F22 Simpilot wrote:Is Pale Moon vulnerable?
No, it is not, because Pale Moon by default does not support Service Workers.
(they -can- be enabled through advanced configuration but it is a really bad idea to do so, and that configuration is wholly unsupported)

The same situation is valid for Basilisk.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

John connor
Banned user
Banned user
Posts: 1492
Joined: 2015-01-21, 05:06

Re: MarioNet browser attack

Post by John connor » 2019-02-27, 01:03

Well that's good.

I use a plain vanilla install of Firefox for sites that use Recaptcha. Is there a way to turn off Service Workers in FF? Or is it beyond complicated?

User avatar
ron_1
Moon Magic practitioner
Moon Magic practitioner
Posts: 2412
Joined: 2012-06-28, 01:20

Re: MarioNet browser attack

Post by ron_1 » 2019-02-27, 02:02

F22 Simpilot wrote:
Is there a way to turn off Service Workers in FF? Or is it beyond complicated?
The ghacks article goes into that (at the bottom).

https://www.ghacks.net/2019/02/26/marionet-attack-lets-hackers-control-your-browser-even-after-you-leave-the-attack-page/

Michaell
Fanatic
Fanatic
Posts: 151
Joined: 2018-05-26, 18:13

Re: MarioNet browser attack

Post by Michaell » 2019-02-27, 02:06

about:config:
dom.serviceWorkers.enabled = false
or user.js:
user_pref("dom.serviceWorkers.enabled", false);
Win10home(1709), PM28.13port

User avatar
cartel
Lunatic
Lunatic
Posts: 431
Joined: 2014-03-16, 21:57
Location: Chilliwack, BC

Re: MarioNet browser attack

Post by cartel » 2019-02-28, 13:33

I made dom.workers.enabled;false also.
I can live without it and google maps

FF wants to hide the setting and enable always:
https://bugzilla.mozilla.org/show_bug.cgi?id=1434934
> Disabling workers is not a privacy enhancing change. I don't know why people have that impression.

Worker SAB was the initial timing intrinsic used to run Spectre in browsers, and some people may be wary of additional timing intrinsics that have yet to be discovered or disclosed. I don't feel strongly about this issue, although I disagree with your statement about privacy. Disabling workers decreases attack surface, increasing security and, by extension, privacy.
Others say disable it and provide very good reasons:
https://github.com/ghacksuserjs/ghacks- ... /issues/60
The FBI exploit used workers and I assume other exploits do too
Looks like the Pwn2Own exploit also used workers. If you need more reasons to disable that
ImageImage

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29334
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: MarioNet browser attack

Post by Moonchild » 2019-03-01, 16:30

Disabling workers is not a privacy enhancing change. I don't know why people have that impression.
^ this.

Please don't confuse web workers with service workers.
Web workers are an essential part of many, more complex, websites - with them disabled, you're likely breaking a lot. Even if the website has a fallback it will be horrendously slow without workers.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

yami_
Astronaut
Astronaut
Posts: 506
Joined: 2018-04-26, 11:05

Re: MarioNet browser attack

Post by yami_ » 2019-03-01, 17:39

Off-topic:
cartel wrote:increasing security and, by extension, privacy
Security in not privacy.
cat came back from Berkeley waving flags -- rob pike

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29334
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: MarioNet browser attack

Post by Moonchild » 2019-03-01, 23:53

cartel wrote:increasing security and, by extension, privacy
As an aside: security and privacy are often opposing forces. See: HSTS
Using HSTS increases security on subsequent visits to HSTS sites. Disabling it increases privacy (because it won't store visited HSTS domains/hosts)
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

Sampei Nihira
Banned user
Banned user
Posts: 96
Joined: 2018-04-03, 16:17

Re: MarioNet browser attack

Post by Sampei Nihira » 2019-03-03, 08:02

Hi,

"dom.webnotifications.serviceworker.enabled"

"devtools.browserconsole.filter.serviceworkers"

"devtools.webconsole.filter.serviceworkers"

they are set to "true".

Do I need to switch to "false"?

User avatar
gepus
Astronaut
Astronaut
Posts: 564
Joined: 2017-12-14, 12:59

Re: MarioNet browser attack

Post by gepus » 2019-03-03, 10:16

Nope.
Once serviceworkers are disabled, related prefs should have no effect.

Sampei Nihira
Banned user
Banned user
Posts: 96
Joined: 2018-04-03, 16:17

Re: MarioNet browser attack

Post by Sampei Nihira » 2019-03-04, 17:32

True. :thumbup:
With the test below is highlighted what you wrote:

https://html5workertest.com/

With Chrome, you can block Service Workers as long as you block even the Web Workers.
It can be done with the uMatrix extension.
But even with the uBlock Origin extension you only need to set up a rule.

User avatar
gepus
Astronaut
Astronaut
Posts: 564
Joined: 2017-12-14, 12:59

Re: MarioNet browser attack

Post by gepus » 2019-03-05, 10:46

Speaking of Chrome - this browser and all of its derivatives are banned on my device.

Disabling something is always best practice, compared to blocking something. It saves bandwidth and resources.
For those using a decent browser, disabling serviceworkers in about:config is the best solution. Blocking workers/serviceworkers with an extension is a poor workaround.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29334
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: MarioNet browser attack

Post by Moonchild » 2019-03-05, 10:52

gepus wrote:For those using a decent browser, disabling serviceworkers in about:config is the best solution. Blocking workers/serviceworkers with an extension is a poor workaround.
...or you can just use Pale Moon or Basilisk and not need to do anything ;-)
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
gepus
Astronaut
Astronaut
Posts: 564
Joined: 2017-12-14, 12:59

Re: MarioNet browser attack

Post by gepus » 2019-03-05, 11:53

Moonchild wrote:...or you can just use Pale Moon or Basilisk and not need to do anything ;-)
You're right but most of us have more than one browser installed, hence my wording. :)

BTW, is Hyperlink-Auditing an essential part of the modern web? I'm asking because it is enabled by default in Pale Moon.

User avatar
Nigaikaze
Board Warrior
Board Warrior
Posts: 1146
Joined: 2014-02-02, 22:15
Location: Chicago, IL, USA

Re: MarioNet browser attack

Post by Nigaikaze » 2019-03-05, 18:10

gepus wrote:You're right but most of us have more than one browser installed, hence my wording. :)
...or you can just use Pale Moon AND Basilisk and not need to do anything ;)
Nichi nichi kore ko jitsu = Every day is a good day.

User avatar
gepus
Astronaut
Astronaut
Posts: 564
Joined: 2017-12-14, 12:59

Re: MarioNet browser attack

Post by gepus » 2019-03-05, 21:06

Nigaikaze wrote:
gepus wrote:You're right but most of us have more than one browser installed, hence my wording. :)
...or you can just use Pale Moon AND Basilisk and not need to do anything ;)
Assuming that a site doesn't work with Pale Moon then one can test the site with Basilisk or if it doesn't work with Basilisk one can test with Pale Moon. 8-)
How could I miss till now such a great concept?
:coffee:

User avatar
New Tobin Paradigm
Knows the dark side
Knows the dark side
Posts: 8977
Joined: 2012-10-09, 19:37
Location: Seriphia Galaxy

Re: MarioNet browser attack

Post by New Tobin Paradigm » 2019-03-05, 21:16

Well the added advantage is you will be so busy testing that there will be no time to post about it.
As a young boy, I dreamed of being a baseball.
But tonight I say, we must move forward, not backward; upward, not forward; and always twirling, twirling, twirling towards freedom!

Image

Locked