site banner

Small-Scale Question Sunday for October 30, 2022

Do you have a dumb question that you're kind of embarrassed to ask in the main thread? Is there something you're just not sure about?

This is your opportunity to ask questions. No question too simple or too silly.

Culture war topics are accepted, and proposals for a better intro post are appreciated.

4
Jump in the discussion.

No email address required.

Hoping early Monday isn't too late for a small-scale question, so here goes:

In the wake of a friend falling victim to a phishing scam in which they were convinced to send a screenshot of a link to a password reset page (indeed, head-slappingly bad), I'm currently being dragged in real life for my hot take, two-part opinion that

  1. This scam was facilitated by the common advice that you should NEVER follow links because they could be from a hacker and then you will get hacked! and

  2. This advice isn't actually very good, in the sense that nothing bad can really happen to you just from following some random link.

As a web developer I know something about how the web works, but obviously I don't know everything, so I'm curious if someone else can come up with a really bad outcome achievable just by clicking on a link. Could you, say, send an API request to a bank from within your webpage, and then read the response and cookies from the host page? I'm thinking this would be blocked by both browser and site technology. This has to be what CORS is for, right? Not just to annoy me while I'm developing?

Anyway, like I said, suggestions welcome.

You gotta understand the zero-day market a little to understand how that works.

Ideally, it's impossible for just loading a webpage to do anything bad. Web browsers are massively complex pieces of software though, and they basically all have lots of bugs that render the situation non-ideal. Web browser vendors make active efforts to be aware of any such bugs as quickly as possible, and patch them and get those patches out as quickly as possible, hence things like Chrome's rapid update rate. A "zero-day" bug/exploit basically means a way to escape the web browser sandbox that the browser vendors / security community are not aware of yet. Once they are aware of them, they are often patched within days or hours.

Creating new exploits is very difficult and highly valuable due to how useful they can be against the right targets. But since efforts to discover exploits actively in use and patch the bugs they use are so active, it is also valuable to those who create and own them to not use them too widely - as soon as the right person notices them, they can be patched very fast, making that one worthless. They are generally created by national intelligence agencies, some shady companies and less scrupulous individuals, and may be either sold back to browser vendors, for 5-6 figure sums, or to those companies, criminal gangs, etc for probably similar or higher sums. It is to the benefit of such entities to not use them too widely, since they'll be worthless as soon as the wrong person notices them, so they're usually used in highly targeted attacks against specific individuals, and engineered to not be deployed unless the situation is right. Wider targeting probably only happens as a last-ditch effort to get a little more value out of something already patched, hoping to catch some users who haven't updated their browsers yet with a low-value but wide-net attack.

So ideally just going to a website shouldn't hurt anything, but it's probably good advice not to. Because 1. It does leak some information no matter what, 2. Less sophisticated users, or just people who are tired or distracted, can surprisingly often be tricked into entering credentials into phishing sites, and 3. You never know when you might be targeted for attack by something nasty, or not be the intended target but get it anyways, or just be the guy who had the bad luck to have the browser auto-patch run a little later than usual.

In addition to directly injection malware as the other commenters have stated, clicking on a link will also reveal certain information about the person and their device:

  • The IP address, which can be mapped to a physical location with at least city scale accuracy.

  • The browser's user agent, which typically contains the OS, browser and its version. This may then be used to find exploits that are likely to work in a follow up attack.

If your browser has an unpatched, exploitable vulnerability, the sky's the limit. It shouldn't be possible for a web site to run malicious code on a simple page load, but browsers don't always work the way they should.

There are probably some Auth based exploits if it's really targeted. For a system I work with for a number of reasons we have approvals handled as links in an email so when a user clicks the link it opens a page on our site that uses windows Auth to identify them and takes an identifier from the link to decide which deal they're approving. An attack vector could be someone trying to get something approved that shouldn't by sending someone with approval rights a doctored link.

With oauth there are also a whole lot of other posisbel vectors if you can get the target to also click some accept on a Google dialogue after opening the link.

The oauth angle cannot be overstated. Even CTOs can fall for it. PageFair was hacked this way a few years ago.

My employer has a whole bunch of intranet tooling all tied to my corporate gmail account. Every now and then I get randomly signed out so I have to click the right account and proceed, sighing and paying little attention. If you presented me with a doctored link that duplicated the google account login popup, I would probably fall for it.

Firstly, you say, "just" following a link, as if laymen can be counted upon to just click links and not just arbitrarily download and run things and enter their passwords. In the real world, sometimes you have to lie to people in order to make them do what you want in the first place. In this case, make them extra cautious around websites.

Secondly, I've had this real question and an answer I've gotten from other developers: Websites can probably inject malware onto your file system in the form of cookies, but such malware wouldn't be executed unless from a trigger that a website can't do, so maybe this doesn't answer your question.

No, it's still fairly good advice. If you watch, e.g. the Hacking Google series on YouTube, you'll see the start of the initial Chinese Aurora hack was in fact getting people to click on random links.

The basic idea is that due to weaknesses on some sites (I think XSS -- cross-site scripting is the term) or in other places, you get the people to execute code authenticated as themselves, which sometimes lets you do bad things.

(I am not a front-end person, or a security person, I just have had to follow some of the guidelines and tried to understand why).

Could you, say, send an API request to a bank from within your webpage, and then read the response and cookies from the host page? I'm thinking this would be blocked by both browser and site technology. This has to be what CORS is for, right? Not just to annoy me while I'm developing?

Yeah, it shouldn't matter, but if a site has e.g. an XSS vulnerability the attacker will need to be able to run some initial Javascript as the victim to kick it off. Sending an email so that they'll visit a specific page might be just that.

nothing bad can really happen to you just from following some random link.

Attackers can host exploit kits on the target site, which spray a bunch of exploits against your computer if you visit them. If your browser/plugins/extensions/OS isn't fully up to date this might very well successfully install malware. This was really relevant when I worked in IT security about 6 years ago but seems to have declined a lot recently; still, it shouldn't be dismissed out of hand quite yet.

Thanks for this, I hadn't heard of Exploit Kits before. That said, the vulnerability seems to come from the used-to-be-common experience where a browser would open an Adobe plugin or whatever, something which is uncommon-to-nonexistent nowadays. In the Wikipedia article the first source they site explaining what Exploit Kits are is an article from 2013!

I did ask for what's possible in the worst case scenario, so fair enough, but I'm still wondering if there are exploits that use a (modern) browser alone, without relying on opening other software. I guess this is another stupid question, but do browser plugins even exist anymore? I can't remember the last time I saw a page with a plug-in.

I'm still wondering if there are exploits that use a (modern) browser alone, without relying on opening other software.

Yeah. Any time there's a zero-day exploit for a browser you can be sure that attacks will start using it fairly quickly. For example, cursorily searching online I found an example of two from last year targeting Chrome in the wild.

Edit: Here's another relevant article, from this year: "Google Patches Third Actively Exploited Chrome Zero-Day of 2022"

do browser plugins even exist anymore? I can't remember the last time I saw a page with a plug-in.

I'd say Flash and Java are completely dead for any moderately recent website, yeah. Still, computers might have the plugins installed; perhaps for some internal corporate website that will never been updated. Other than that, I'd guess the Adobe PDF plugin should be fairly common too.

I seem to recall an alert from a while back whereby if your password manager autofills login info, that could make you vulnerable, if you visit a site that embeds a bank's login page within an <iframe>, the parent site would be able to read the relevant DOM elements. Requires a specific browser setup, obviously, but would this still work? Are there exploits that cannot be circumvented by visiting unknown sites in Incognito mode, as I do from time to time when I am curious about a suspicious link?

Not a real programmer but... Aren't your question parameters too wide? If someone has a perfect (presumably zero day) exploit then the link question is just how much can come over bandwidth before user wizens up, and with a modern connection, that's a lot. Granted the only huge hacking op involving zero day exploits I've ever read about was Stuxnet, and that was USB shenanigans not anything protected by https or modern browsers but still.

Aren't your question parameters too wide? If someone has a perfect (presumably zero day) exploit

I suppose so. If somehow Chrome granted a page access to the entire filesystem, obviously that would be very bad. But you're probably protected against such an exploit because come on, are you really going to be the first person they target with this attack? Although I retract this skepticism if you are actually a billionaire.

So okay, are they any known ways that a site could extract important private information about a user just by visiting a site (and, let's say, scrolling)?

If somehow Chrome granted a page access to the entire filesystem, obviously that would be very bad.

Spoof it as just another accept/reject cookies. Tech illiterate can't tell.

Gotta admit I'm not about to read all that API documentation for window.showOpenFilePicker() but it looks like the user has to have a lot more specific interaction, i.e. choosing files on local disk, in order for the site to have access. So you wouldn't be able to get access just using some generic popup.