Security Problem in Firefox’s NoScript Add-On

Jul 01, 2015

Mozilla’s script blocker add-on could be putting malware sites on the whitelist.

Security researchers have discovered a major flaw with Mozilla’s popular NoScript security add-on. NoScript is supposed to create an environment where JavaScript, Java, and other executable content can only run in scripts that come from a trusted domain.

According to Detectify researcher Linus Särud, NoScript whitelists the entire googleapis.com domain and any subdomain, which means an attacker could create a nefarious script that uses Google services APIs to bypass NoScript. The discovery follows an earlier project by Matthew Bryant, who successfully launched an attack that bypassed whitelist protections.

It isn’t clear whether attackers are already using this technique. The discovery challenges the prestige of the Mozilla NoScript plugin, which bills itself as “The best security you can get in a web browser!” According to a report in the Register, the NoScript team immediately responded by adapting the tool to whitelist only Google's hosted libraries at ajax.googleapis.com, which should reduce the threat, although it might require more intervention from the user to get any necessary legitimate sites whitelisted.

Users are encouraged to install updates. Bryant adds, “Please purge your whitelist. Remove everything you don’t trust.”

https://en.wikipedia.org/wiki/Google_APIs

http://www.theregister.co.uk/2015/07/01/noscript_bypass/

Related content

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News