Security Problem in Firefox’s NoScript Add-On

Jul 01, 2015

Mozilla’s script blocker add-on could be putting malware sites on the whitelist.

Security researchers have discovered a major flaw with Mozilla’s popular NoScript security add-on. NoScript is supposed to create an environment where JavaScript, Java, and other executable content can only run in scripts that come from a trusted domain.

According to Detectify researcher Linus Särud, NoScript whitelists the entire googleapis.com domain and any subdomain, which means an attacker could create a nefarious script that uses Google services APIs to bypass NoScript. The discovery follows an earlier project by Matthew Bryant, who successfully launched an attack that bypassed whitelist protections.

It isn’t clear whether attackers are already using this technique. The discovery challenges the prestige of the Mozilla NoScript plugin, which bills itself as “The best security you can get in a web browser!” According to a report in the Register, the NoScript team immediately responded by adapting the tool to whitelist only Google's hosted libraries at ajax.googleapis.com, which should reduce the threat, although it might require more intervention from the user to get any necessary legitimate sites whitelisted.

Users are encouraged to install updates. Bryant adds, “Please purge your whitelist. Remove everything you don’t trust.”

https://en.wikipedia.org/wiki/Google_APIs

http://www.theregister.co.uk/2015/07/01/noscript_bypass/

Related content

  • Security Lessons

    As ugly and hard to secure as JavaScript is, it could be worse – we could be using ActiveX.

  • DeskTOPia: Firefox Add-ons

    If you look around the Internet, you’ll find a number of useful add-ons for Mozilla Firefox.

  • Security and Privacy Extensions

    Many hands are hard at work on problems of Internet security and privacy. If you're looking to lock down your surfing experience, try these privacy-focused browser extensions.

  • Security Lessons

    Learn more about protecting your website with NoScript, ModSecurity, and Site Security Policy.

  • Browser Cleanup

    Web browsers collect a large amount of data about the user’s browsing habits. If you care about privacy, you might want to clean up your browser and configure some custom privacy settings.

comments powered by Disqus