SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow1984
TorMoil, as the flaw has been dubbed by its discoverer, is triggered when users click on links that begin with file:// rather than the more common https:// and http:// address prefixes. When the Tor browser for macOS and Linux is in the process of opening such an address, "the operating system may directly connect to the remote host, bypassing Tor Browser," according to a brief blog post published Tuesday by We Are Segment, the security firm that privately reported the bug to Tor developers.
On Friday, members of the Tor Project issued a temporary work-around that plugs that IP leak. Until the final fix is in place, updated versions of the browser may not behave properly when navigating to file:// addresses. They said both the Windows versions of Tor, Tails, and the sandboxed Tor browser that's in alpha testing aren't vulnerable.
(Score: 3, Interesting) by edIII on Tuesday November 07 2017, @08:07PM (12 children)
You still need to click on it. It's not like the early information leaks that necessitated the creation of Tails. That and apparently the windows version and the Tails version aren't vulnerable.
I'm more worried about the information leaks that happen that don't require interactivity with the user.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by lx on Tuesday November 07 2017, @09:21PM (7 children)
Do you hover over every link on a webpage to check the URL before you click it?
(Score: 5, Informative) by Anonymous Coward on Tuesday November 07 2017, @10:11PM (2 children)
That only works if you have Javascript disabled as Javascript can change a link during the click action. (If you're using Tor Javascript should be disabled but often isn't due to it being enabled by default because the people setting the defaults are stupid fucktards that have no business even being around a computer let alone setting defaults in an application supposedly designed to be secure. *cough* But I digress...)
Proof:
1. Go to Google with Javascript enabled in a clean browser profile. (Clean profile in case some Adblock rule has implemented something to block this bullshit.)
2. Search for something. Doesn't matter what. Preferably something where you know what the destination site should be. "SoylentNews" would be a good search term.
3. On the results page, hover over a non-ad link. It will look like the site you expect it to be. Search for SoylentNews, get the link to this site. Nothing unexpected so far...
4. Right-click the link, then close the context menu by clicking somewhere else. Now hover over the link again. Not where you expected to go, is it? That's malicious Javascript at work changing links as you click on them. Malicious Javascript served up directly from Google. Malicious Javascript with HEAVY obfuscation applied in order to try to hide exactly what they're doing. (View the source and try to read the Javascript. Ugly, isn't it?)
5. Find another link, this time click and hold the left mouse button on it and drag the link a short distance away from where it was, but don't drop it. Before releasing the left mouse button, tap the escape key to cancel the click action, then release the left mouse button. Now hover over the link you just used the left mouse button on. Same thing, the link has been hijacked by Google's malicious Javascript so that it takes you someplace you didn't expect to go.
I've had nothing less than some form of a complete brick-shitting WTF?! response from every person I've demonstrated this to. Every. Single. Person. I've demonstrated it to some very knowledgeable systems engineers and CSOs in the hopes that SOMEONE would have known about this. Nope. Everyone who's not a complete tin-hat paranoid (*waves to the crowd* HI EVERYONE!) thinks hovering over links is a safe way to tell exactly where the link will take you.
1984? Nope, sorry, we went to plaid blowing past that at ludicrous speed a little over a decade ago and nobody even bothered to wave at it as we went past it.
And people call me paranoid...
(Score: 2) by MichaelDavidCrawford on Tuesday November 07 2017, @10:29PM
I used it for a while but found that it didn't always work.
Having an appealing meta description and an identical first paragraph after the header, combined with these sketchy links, enables your site to get more SEO without having anything to do with link popularity.
When I first wrote about that, the javascript links were only a small sample. Most were the real link. I expect no one objected - you know like boiling a frog.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by urza9814 on Wednesday November 08 2017, @12:48AM
Agree with you about Javascript not always being disabled, but it's far worse than just rewriting links. If it rewrites the link to 'file:///...', you'd know *something* weird happened. Even if you didn't know exactly what or why, you'd notice.
But I wonder if this flaw would still exist if the link is opened directly through a Javascript call. It won't open a browser tab, it won't redirect the page, it'll just fire a request to 'file:///whatever' and discard the response...but meanwhile your IP potentially gets exposed without you knowing anything happened at all. And without you clicking any link.
This was IMO one of the great advantages of the old* Freenet network. No scripts to expose information and no servers to retrieve it. No active content was supported at all, and you didn't connect to a server you just retrieved static files from a distributed storage system.
* I say "old" Freenet because I stopped using back during the 0.5/0.6 network split which was nearly a decade ago now. Based on the idiocy of some of those devs I wouldn't be surprised if they "fixed" that at some point...
(Score: 2) by edIII on Tuesday November 07 2017, @11:15PM (3 children)
Actually, yes. Yes, I do. I'm always looking at the URL and my trust factor in URLs I can't recognize, or go to Akimai or the cloud, is fucking zero. Since I'm most likely surfing with Tails anyways, I might click it for the hell of it. Most of the time though, if I don't recognize your URL, I just don't visit it.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by Runaway1956 on Wednesday November 08 2017, @03:44AM (2 children)
Always?
I have a habit of hovering over links. But, I don't *always* do so. I'm really engrossed in some search or puzzle, and my mind is entirely occupied with what I am doing. Especially if I'm on a "trusted" site. I stop doing the hovers, I stop "copy this link address" and pasting it into a new tab, then LOOKING before pressing "enter".
It's one thing to stay secure while leisurely browsing. It's another thing when trying to rush, or wading through something complicated.
Maybe that's what separates the pros from the amateurs?
(Score: 0) by Anonymous Coward on Wednesday November 08 2017, @04:55AM (1 child)
And which do you imagine you are, Runaway?
(Score: 2) by Runaway1956 on Wednesday November 08 2017, @02:48PM
The answer seems pretty obvious - sometimes I forget. What did YOU think?
(Score: 0) by Anonymous Coward on Tuesday November 07 2017, @11:58PM
It's not often I get to say I'm not vulnerable because I'm running Windows. <sarcasm>Unfortunately</sarcasm> I'm not running Windows right now.
(Score: 0) by Anonymous Coward on Wednesday November 08 2017, @03:03AM
Does it only happen if you click in A HREF or does it also happen with URLs in IMG SRC? What about iframes? The docs linked only mention URLs and clicking means loading data, but again, no specifics about other loading, like frames, videos or images.
(Score: 5, Insightful) by maxwell demon on Wednesday November 08 2017, @05:18AM (1 child)
There are plenty ways of loading extra data without anyone clicking. Look at the following example page:
You see, plenty of ways to contact a server without the user clicking a link. And that file doesn't even use JavaScript.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Thursday November 09 2017, @09:48AM
Except you can't generally use file:// from another schema, like http:// because, you know, it's terrible shit. Otherwise you'll just easily could vacuum files from user systems. Try it.