The vulnerabilities have been spotted in the plugin’s whitelist, which is, by default, filled with some popular sites. Other sites can be added manually by the users themselves.
Bryant discovered that the whitelist automatically includes all subdomains (if they are not preceded by http(s)://) of the trusted domains. Also, after checking each default trusted domain he also discovered that one of them – zendcdn.net – had expired!
After Särud read about Bryant’s findings, he downloaded NoScript and tool a loot at the whitelist. Among the trusted domains he noticed googleapis.com, and remembered that the subdomain storage.googleapis.com is where users get to host files when they are using Google Cloud Storage.
He immediately tested his attack idea: after registering an account, a HTML file containing a simple, innocuous script was uploaded.
Both researchers notified Giorgio Maone, the developer of NoScript, of this weaknesses. He reacted swiftly, and removed the zendcdn.net domain from the plugin’s default whitelist, and changed the googleapis.com domain on it to ajax.googleapis.com.
But the plugin still whitelists automatically all subdomains of the domains on the list, and effectively still exposes so much surface area to attack.
“Do you trust every site in NoScript’s whitelist? What about their subdomains? If any domain or subdomain has stored XSS or some other vulnerability that allows an attacker to store arbitrary content on that server – NoScript is essentially useless! You are not only trusting these sites to be non-malicious you’re trusting them to be secure. Can you say that about every site in the default whitelist?” Bryant pointed out, and encouraged the 2M+ NoScript users to review their whitelist and remove from it all sites they don’t trust.
To do that, go to NoScript > Options > Whitelist.