Adult sites are stashing exploit code inside racy .svg files
Adult sites are stashing exploit code inside racy .svg files
arstechnica.com
Adult sites are stashing exploit code inside racy .svg files
25 comments
-
-
In related news, Microsoft is retiring support for inline SVG images in Outlook for Web and New Outlook (which is just Outlook for Web in a trenchcoat and should be killed with fire), because apparently removing functionality is easier than fixing vulnerabilities.
I expect Edge will also be dropping support for SVGs in the near future.
25 comments
Why is SVG necessary for this? JS can be executed from HTML by itself; does putting it into SVG disable certain browser security features? I am a bit confused about this.
Generally, browsers try to make it very difficult for the contents of one website to read or interact with the contents of another website. There is a class of attacks called cross site request forgery (CSRF) where website A tries to trick the browser into sending a web request to website B and performing some action which requires authentication. In this case, the action would be to like a Facebook post.
Imagine something really basic like your bank has an endpoint
GET shite-bank.com/account/transfer?funds=100&to=myEvilAccount. Website B could try and redirect you to that URL. If you're logged in to shite-bank, then when that request completes you will transfer 100 funds to me. Generally, most websites use various techniques and tokens to prevent other websites from triggering requests like this.I clicked through the source article, and it sounds like this is specifically a windows thing: original article says that when a windows machine loads the malicious SVG, the malicious JS is parsed in a Microsoft Edge browser process, regardless of the browser a user visited the porn site with (apparently all Windows SVGs load through Edge). I would guess that there is some aspect of this context switch which enables the CSRF attack to work, but it is not explained in the original article.
what the actual fuck? does that mean that even if I only use firefox, edge is involved in loading SVGs? how??
Willing to bet that some browsers just do what the SVG says.
Yes, you are just quoting the article which I already read, but this fails to answer the question why the same JS does something different depending on whether it is part of an SVG or not. Should it not be possible to put the same JS directly into the HTML?
svg are treated the same as webpages by modern browsers. Either integrated into the dom directly, or as a sort of sub page. Not much potential for exploits you couldn't do in html.
This should mostly be about injection, so someone else uploading a picture to a page and taking it over for other users. Just loading that image might make your account follow some profile there, or even do some action like press a share button.
That might make sense, but the article doesn't really indicate that that is what it means.