MarioNet browser attack

[John connor]

Academics from Greece have devised a new browser-based attack that can allow hackers to run malicious code inside users' browsers even after users have closed or navigated away from the web page on which they got infected. This new attack, called MarioNet, opens the door for assembling giant botnets from users' browsers. These botnets can be used for in-browser crypto-mining (cryptojacking), DDoS attacks, malicious files hosting/sharing, distributed password cracking, creating proxy networks, advertising click-fraud, and traffic stats boosting, researchers said.

https://www.zdnet.com/article/new-brows ... -web-page/

Is Pale Moon vulnerable?

I use Sandboxe so I gotta wonder if it'd stick?

[Nigaikaze]

Is Pale Moon vulnerable?

Since that attack appears to be based on Service Workers, do a forum search for that phrase and it will answer your question.

[karlchen]

I assume that the recommended search should return this very clear statement by Moonchild on top of the list:

About Push in Pale Moon:
https://www.palemoon.org/info-url/push.shtml

Service workers in Pale Moon:
Service workers are a terrible idea, unless you actually enjoy the idea of having your browser do stuff "in the background" that you have absolutely no control over.
We have no plans whatsoever to implement or enable this, because it's a privacy and security nightmare.

As a consequence, the answer to the question

Is Pale Moon vulnerable?

should be, "No, it is not, because Pale Moon does not support Service Workers."

[Moonchild]

Is Pale Moon vulnerable?

No, it is not, because Pale Moon by default does not support Service Workers.
(they -can- be enabled through advanced configuration but it is a really bad idea to do so, and that configuration is wholly unsupported)

The same situation is valid for Basilisk.

[John connor]

Well that's good.

I use a plain vanilla install of Firefox for sites that use Recaptcha. Is there a way to turn off Service Workers in FF? Or is it beyond complicated?

[ron_1]

F22 Simpilot wrote:
Is there a way to turn off Service Workers in FF? Or is it beyond complicated?

The ghacks article goes into that (at the bottom).

https://www.ghacks.net/2019/02/26/marionet-attack-lets-hackers-control-your-browser-even-after-you-leave-the-attack-page/

[Michaell]

about:config:
dom.serviceWorkers.enabled = false
or user.js:
user_pref("dom.serviceWorkers.enabled", false);

[cartel]

I made dom.workers.enabled;false also.
I can live without it and google maps

FF wants to hide the setting and enable always:
https://bugzilla.mozilla.org/show_bug.cgi?id=1434934

> Disabling workers is not a privacy enhancing change. I don't know why people have that impression.

Worker SAB was the initial timing intrinsic used to run Spectre in browsers, and some people may be wary of additional timing intrinsics that have yet to be discovered or disclosed. I don't feel strongly about this issue, although I disagree with your statement about privacy. Disabling workers decreases attack surface, increasing security and, by extension, privacy.

Others say disable it and provide very good reasons:
https://github.com/ghacksuserjs/ghacks- ... /issues/60

The FBI exploit used workers and I assume other exploits do too
Looks like the Pwn2Own exploit also used workers. If you need more reasons to disable that

[Moonchild]

Disabling workers is not a privacy enhancing change. I don't know why people have that impression.

^ this.

Please don't confuse web workers with service workers.
Web workers are an essential part of many, more complex, websites - with them disabled, you're likely breaking a lot. Even if the website has a fallback it will be horrendously slow without workers.

[yami_]

Off-topic:

increasing security and, by extension, privacy

Security in not privacy.

[Moonchild]

increasing security and, by extension, privacy

As an aside: security and privacy are often opposing forces. See: HSTS
Using HSTS increases security on subsequent visits to HSTS sites. Disabling it increases privacy (because it won't store visited HSTS domains/hosts)

[Sampei Nihira]

Hi,

"dom.webnotifications.serviceworker.enabled"

"devtools.browserconsole.filter.serviceworkers"

"devtools.webconsole.filter.serviceworkers"

they are set to "true".

Do I need to switch to "false"?

[gepus]

Nope.
Once serviceworkers are disabled, related prefs should have no effect.

[Sampei Nihira]

True.
With the test below is highlighted what you wrote:

https://html5workertest.com/

With Chrome, you can block Service Workers as long as you block even the Web Workers.
It can be done with the uMatrix extension.
But even with the uBlock Origin extension you only need to set up a rule.

[gepus]

Speaking of Chrome - this browser and all of its derivatives are banned on my device.

Disabling something is always best practice, compared to blocking something. It saves bandwidth and resources.
For those using a decent browser, disabling serviceworkers in about:config is the best solution. Blocking workers/serviceworkers with an extension is a poor workaround.

[Moonchild]

For those using a decent browser, disabling serviceworkers in about:config is the best solution. Blocking workers/serviceworkers with an extension is a poor workaround.

...or you can just use Pale Moon or Basilisk and not need to do anything

[gepus]

...or you can just use Pale Moon or Basilisk and not need to do anything

You're right but most of us have more than one browser installed, hence my wording.

BTW, is Hyperlink-Auditing an essential part of the modern web? I'm asking because it is enabled by default in Pale Moon.

[Nigaikaze]

You're right but most of us have more than one browser installed, hence my wording.

...or you can just use Pale Moon AND Basilisk and not need to do anything

[gepus]

You're right but most of us have more than one browser installed, hence my wording.

...or you can just use Pale Moon AND Basilisk and not need to do anything

Assuming that a site doesn't work with Pale Moon then one can test the site with Basilisk or if it doesn't work with Basilisk one can test with Pale Moon.
How could I miss till now such a great concept?

[New Tobin Paradigm]

Well the added advantage is you will be so busy testing that there will be no time to post about it.