Researchers point out the holes in NoScript’s default whitelist

Security researchers Linus Särud and Matthew Bryant hav recently discovered some pretty big holes in NoScript, a popular Firefox plugin that prevents executable web content such as JavaScript, Java, Flash, and other plugins to be loaded from sites users haven’t designated as “trusted”.

The vulnerabilities have been spotted in the plugin’s whitelist, which is, by default, filled with some popular sites. Other sites can be added manually by the users themselves.

Bryant discovered that the whitelist automatically includes all subdomains (if they are not preceded by http(s)://) of the trusted domains. Also, after checking each default trusted domain he also discovered that one of them – zendcdn.net – had expired!

So he bought it for less than $11, and he pointed it to a subdomain containing a small JavaScript payload – and NoScript didn’t block it. An attacker could have just as easily done the same and used a malicious payload.

After Särud read about Bryant’s findings, he downloaded NoScript and tool a loot at the whitelist. Among the trusted domains he noticed googleapis.com, and remembered that the subdomain storage.googleapis.com is where users get to host files when they are using Google Cloud Storage.

He immediately tested his attack idea: after registering an account, a HTML file containing a simple, innocuous script was uploaded.

“Just by visiting the file JavaScript will execute, even if NoScript with default configuration is installed,” he explained, and noted that this NoScript bypass is cheaper than Bryant’s, as Google offers a 60 days trial for Google Cloud Storage.

Both researchers notified Giorgio Maone, the developer of NoScript, of this weaknesses. He reacted swiftly, and removed the zendcdn.net domain from the plugin’s default whitelist, and changed the googleapis.com domain on it to ajax.googleapis.com.

But the plugin still whitelists automatically all subdomains of the domains on the list, and effectively still exposes so much surface area to attack.

“Do you trust every site in NoScript’s whitelist? What about their subdomains? If any domain or subdomain has stored XSS or some other vulnerability that allows an attacker to store arbitrary content on that server – NoScript is essentially useless! You are not only trusting these sites to be non-malicious you’re trusting them to be secure. Can you say that about every site in the default whitelist?” Bryant pointed out, and encouraged the 2M+ NoScript users to review their whitelist and remove from it all sites they don’t trust.

To do that, go to NoScript > Options > Whitelist.