The attack works because NoScript has a limited whitelist of trusted domains, allowing the host browser to load commonly-used tools from certain content delivery networks like googleapis.com. This feature tries to preserve websites' functionality while simultaneously blocking any potentially malicious code.
Because the extension will implicitly trust any subdomain whose parent domain is present in the whitelist, Särud found that NoScript will trust the storage.googleapis.com subdomain, which hosts Google's Cloud Storage service. He uploaded a small test script there, which cleanly got past NoScript.
Särud built upon the work of Matthew Bryant, another security researcher, who found that the whitelist itself was stale—it contained the unused domain vjs.zendcdn.net. Bryant registered zendcdn.net for a mere $10.69, and put up a proof-of-concept script that NoScript dutifully let through.
Both Särud and Bryant contacted NoScript's author about these issues. An updated version of the extension that closes the loopholes noted above is now available, so NoScript users should update immediately.
|1. BIF - $340||2. Ryu Connor - $250||3. mbutrovich - $250|
|4. YetAnotherGeek2 - $200||5. End User - $150||6. Captain Ned - $100|
|7. Anonymous Gerbil - $100||8. Bill Door - $100||9. ericfulmer - $100|
|10. dkanter - $100|
|SolidRun MicroSoM offers Braswell CPUs on a tiny package||10|
|Friday Night Shortbread||13|
|Doom's latest update adds Deathmatch and private matches||9|
|Rumor: Google to showcase mesh networking router soon||8|
|Deals of the week: SSD storage and a gaming laptop||15|
|Asus upgrades its G11 gaming desktops with Pascal power||9|
|Work with Pritchard again in Mankind Divided's System Rift DLC||5|
|Titanfall 2 PC requirements point to a smooth experience||33|
|DSFix creator Durante outlines the realities of game optimization||24|