Firefox, Opera Allow Phishing By Data URI Claims New Paper

← Back to Stories (view on slashdot.org)

Firefox, Opera Allow Phishing By Data URI Claims New Paper

Posted by Unknown on Monday September 3, 2012 @07:08PM from the but-it-said-it-was-a-cat-picture dept.

hypnosec writes "A student at the University of Oslo, Norway has claimed that Phishing attacks can be carried out through the use of URI and users of Firefox and Opera are vulnerable to such attacks. Malicious web pages can be stored into data URIs (Uniform Resource Identifiers) whereby an entire webpage's code can be stuffed into a string, which if clicked on will instruct the browser to unpack the payload and present it to the user in form of a page. This is where the whole thing gets a bit dangerous. In his paper, Phishing by data URI [PDF], Henning Klevjer has claimed that through his method he was able to successfully load the pages on Firefox and Opera. The method however failed on Google Chrome and Internet Explorer."

151 comments

Min score:

Reason:

Sort:

Chrome and IE by harryfeet · 2012-09-03 19:08 · Score: 0, Troll

I'm not surprised to see IE ranking well. It has grown to be one of the most secure browsers ever made. Only Chrome has something like IE. Internet Explorer has sandboxing and JIT hardening and all these things while Firefox and Opera have hardly anything (Firefox is actually the worst in this regard).
1. Re:Chrome and IE by Doctor_Jest · 2012-09-03 19:24 · Score: 0
  
  I'm not surprised to see the astroturfing come in so quickly, either.
  
  --
  It's the Stay-Puft Marshmallow Man.
2. Re:Chrome and IE by macraig · 2012-09-03 19:29 · Score: 4, Interesting
  
  What are some benevolent use cases of these data URIs that justify supporting them? I'm not baiting you, just ignorant and curious.
3. Re:Chrome and IE by Anonymous Coward · 2012-09-03 19:33 · Score: 3, Informative
  
  small inline images on a webpage, it saves a separate retrieval of the image. Of course the download is a bit larger since the image is first base64 encoded.
4. Re:Chrome and IE by bersl2 · 2012-09-03 19:35 · Score: 5, Informative
  
  it's more about how IE and Chrome don't support DATA uri's
  I'm not actually sure that this is the case. (Change the Wikipedia entry if it's wrong, then.)
5. Re:Chrome and IE by Anonymous Coward · 2012-09-03 19:37 · Score: 3, Informative
  
  it's more about how IE and Chrome don't support DATA uri's. the article is stupid. that's what the article really is about, if it supports data uri's or not.
  Chrome and IE both support data URIs. Chrome doesn't allow redirecting to a data URI for this reason
6. Re:Chrome and IE by macraig · 2012-09-03 19:43 · Score: 4, Insightful
  
  I've been reading the Wikipedia entry, and if I grasp it correctly there's a distinct negative repercussion to use of them: they could apparently be used to stuff HTML elements into one "get" and possibly defeat all sorts of HTTP proxy filters, ad blockers, and other sundry Web-page tweakers in the process. If that's true, I would not be in favor of their use or support at all. I use all sorts of tools and extensions to "take back the Web"; I don't want to lose the abilities those tools enable.
7. Re:Chrome and IE by Tom · 2012-09-03 19:57 · Score: 2, Insightful
  
  Whatever may or may not be true in regards to IE security, this particular vulnerability does not work on IE because it has a length limit on data URIs, not because anyone thought of it and secured it against it. It's accidental. Chrome is the browser that has an actual security feature preventing this attack.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
8. Re:Chrome and IE by Tom · 2012-09-03 19:58 · Score: 4, Informative
  
  They were originally implemented to contain data inside documents where you need everything to be contained in one file - such as early e-mail systems.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
9. Re:Chrome and IE by nomaddamon · 2012-09-03 20:03 · Score: 5, Informative
  
  Take a website with 100 small images, with average image size 10kb, latency (3-way handshake+data) = 25ms, and your bandwidth = 10Mbit/s
  
  Using 5 paralel connections (max allowed by http) the site will download in 10/1280*100 + 0,025*20 = 1,28 seconds
  
  Embeding all images in original document using data URI's (~1.37x overhead to data size but no latency impact), the site will download in 10*100*1,37/1280 = 1,07 seconds
  
  HTTP2.0 / SPDY will solve this, but it will take many years till they are widely adopted.
10. Re:Chrome and IE by bloodhawk · 2012-09-03 20:05 · Score: 1
  
  IE does support Data URI's though??? at least it did, have they removed this functionality or is it merely a more secure implementation than firefox and opera?
11. Re:Chrome and IE by macraig · 2012-09-03 20:15 · Score: 1
  
  I noticed from the Wikipedia article that it had a long history dating back to the late Nineties. Webmail certainly had more limitations back then, not that HTML was really designed to handle that job.
12. Re:Chrome and IE by Anonymous Coward · 2012-09-03 20:15 · Score: 0
  
  Why the fuck is he marked insightful. Both Chrome and IE do support DATA uri's. FFS at least check if someone is talking out their arse before modding them up.
13. Re:Chrome and IE by harryfeet · 2012-09-03 20:18 · Score: 0, Troll
  
  ALERT! Don't mod up gl4ss in this thread. He is wrong. Both Chrome and IE do support data URLS. HE IS WRONG!
14. Re:Chrome and IE by macraig · 2012-09-03 20:18 · Score: 3, Interesting
  
  My worry, if I understand this correctly, is that this could be used as a means to thwart every ad-blocker and page tweaker and HTTP proxy filter in existence. That would not be a good thing at all....
15. Re:Chrome and IE by gl4ss · 2012-09-03 20:26 · Score: 0
  
  Why the fuck is he marked insightful. Both Chrome and IE do support DATA uri's. FFS at least check if someone is talking out their arse before modding them up.
  their implementation of data uri's is different, from what I gathered from the guys posts some browsers just don't support as long mega-long data uri's.
  and a guy is likely to link the link rather than be redirected to one in the first place, no? but ultimately the article isn't about phishing, but about different support for data uri's. the phishing angle is just tacked on so that the guys paper would get eyeballs.
  
  --
  world was created 5 seconds before this post as it is.
16. Re:Chrome and IE by TheRaven64 · 2012-09-03 20:33 · Score: 3, Interesting
  
  HTTP2.0 / SPDY will solve this, but it will take many years till they are widely adopted.
  Not entirely. You still need to completely fetch and parse the main web page before you start fetching the images from it. If you use data URLs, then you implicitly fetch them before you even know that you need them. This is one advantage that Flash and Java applets have over JavaScript + HTML + image + sound files. There was some plan for allowing browsers to grab a page plus all of its resources in some kind of container file, but I don't recall it going anywhere.
  
  --
  I am TheRaven on Soylent News
17. Re:Chrome and IE by cpicon92 · 2012-09-03 20:41 · Score: 5, Informative
  
  I'm sorry, but that's downright untrue. See for yourself: https://en.wikipedia.org/wiki/Data_Uri#Web_browser_support
  
  Microsoft has limited its support to certain "non-navigable" content for security reasons, including concerns that JavaScript embedded in a data URI may not be interpretable by script filters such as those used by web-based email clients. Data URIs must be smaller than 32 KiB in Version 8.
  Version 9 does not have the 32 KiB limit.
18. Re:Chrome and IE by thomthom · 2012-09-03 20:43 · Score: 1
  
  Avoiding expensive HTTP requests.
19. Re:Chrome and IE by hairyfeet · 2012-09-03 20:50 · Score: 2
  
  Oh Lord its Twitter! Long time man, WTF you been up to? I can't believe you made a knockoff of my user ID, hell you made knock offs of Macthorpe and all the other old timers so I was starting to feel left out there, nice to see I'm well regarded enough to rip off, thanks.
  As for TFA that's why i give my customers Comodo Dragon, based on Chromium but without all the Google phone home bits. the new IE may be secure but frankly who gives a rat's ass, when the refused to backport it to their STILL UNDER SUPPORT operating systems like XP (and isn't the next version only gonna work on 7 & 8?) it became completely useless as far as I'm concerned.
  With Dragon you can run any Windows from XP-8 and have the same browser synced so it all "just works" which is nice and as a bonus you have any problems their devs are constantly on their forums and are quick to get back to you with help.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
20. Re:Chrome and IE by Anonymous Coward · 2012-09-03 20:54 · Score: 0
  
  It depends. I have my Firefox compiled as a position independent executable (PIE), with full RELRO and ASLR. I also have it "sandboxed" with a Mandatory Access Control system that comes in the Linux kernel. It really depends on how the binary was compiled and with which compiler. On Windows machines such hardening is probably not common, at least for Firefox.
  Sure Chrome has its own sandbox (on Linux it is merely a chroot), but I see little benefit of it over using AppArmor, for instance. It accomplishes the same thing.
21. Re:Chrome and IE by psmears · 2012-09-03 20:55 · Score: 4, Informative
  
  and a guy is likely to link the link rather than be redirected to one in the first place, no?
  No - that was one of the points of the article.
  Increasingly the source of phishing URLs is social media rather than email. In tweets (and to a lesser extent on other social media) it's common to send a shortened URL (tinyurl, bit.ly, goo.gl etc) that redirects to the actual URL, and consequently users won't be surprised to receive such a short URL, and will probably click on it - whereas if they received a massively long "data:" URL with lots of base64 data after it, their suspicions would be more likely to be raised...
  
  --
  Need to type accents and special characters in Windows? Use FrKeys
22. Re:Chrome and IE by slacka · 2012-09-03 21:26 · Score: 3, Informative
  
  it's more about how IE and Chrome don't support DATA uri's. the article is stupid. that's what the article really is about, if it supports data uri's or not.
  WRONG! From the PDF:
  "In Google Chrome in particular, a control for unsafe redirection is im-
  plemented, disabling the user direct access to a data URI if that URI is
  the target of a redirection, such as from a URL shortening service."
  "Internet Explorer has a limit to data URIs,"
  Google Chrome and IE have implemented security features to prevent this form of attack.
23. Re:Chrome and IE by Anonymous Coward · 2012-09-03 21:26 · Score: 0
  
  Why are you talking to yourself, asswipe?
24. Re:Chrome and IE by Anonymous Coward · 2012-09-03 21:28 · Score: 2, Informative
  
  One use case is the local generation of downloadable content. For example, if you generate a sound file with Javascript, you can present the file as a clickable link that will allow the user to save the file, without first sending all the data to the server and then downloading it from there. A DTMF sequence generator could be written as a 100% client side script. An image processing script could likewise allow the user to save the edited image locally. There exist Javascript libraries for that purpose which convert HTML5 canvases into data URIs.
  Generally data URIs come in handy when a roundtrip to the server is undesirable. Many use cases have different solutions now ("sprite collections" instead of many small files in web design, MIME embedded images in email.) Unfortunately, the potential for mischief has been quite obvious for a long time, because data URIs avoid many detection schemes by avoiding the server roundtrip, and consequently they have fallen from grace somewhat and saw no further improvement. You can't even suggest a filename if you use data URIs as a downloadable link.
25. Re:Chrome and IE by higuita · 2012-09-03 22:01 · Score: 4, Insightful
  
  sandboxing is just another layer of security, it isnt a silver bullet solution... in fact many times (like in chrome) is used as a excuse to not proper check things and do a more careless development (from the security point of view). all is well until someone finds a way to break out the sandbox (just look at the recent java security problems) and then you can use one of the many holes to hop jump the sandbox and reach the OS.
  Firefox mostly dont have sandbox, but have many other proper security checks that other lack, and its secure because of then. Of course sandbox is yet another layer that should exist and they are slowly sandboxing key areas. Its harder because they want to support various OS at the same level where chrome have a full sandbox in windows but a lot weaker one in linux (see https://code.google.com/p/chromium/wiki/LinuxSandboxing and https://code.google.com/p/chromium/wiki/LinuxSUIDSandbox... things might be better when seccomp is enabled by default in chrome)
  So yes, sandbox is good, but should not be trusted as the main security barrier in one application, other checks are always needed.
  
  --
  Higuita
26. Re:Chrome and IE by Anonymous Coward · 2012-09-03 22:03 · Score: 1, Informative
  
  You sound like an 7 year old pretending to be a robot.
27. Re:Chrome and IE by Anonymous Coward · 2012-09-03 22:17 · Score: 0
  
  I use them to encode small icons into greasemonkey scripts instead of dealing with full blown extensions. There's one quite popular one that puts a pdf and envelope icon next to email and pdf links, for instance.
28. Re:Chrome and IE by Lazy+Jones · 2012-09-03 22:24 · Score: 2
  
  OTOH if those small images can be cached, the advantage of using data-URIs disappears (is negated) on the 2nd time someone visits the page. So I don't think it's a very good idea to do it in this case.
  
  --
  "I love my job, but I hate talking to people like you" (Freddie Mercury)
29. Re:Chrome and IE by Anonymous Coward · 2012-09-03 22:27 · Score: 0
  
  Doesn't work on Android like it says it should. I would change the entry, but every change I make gets reverted by the Wikipedia police.
30. Re:Chrome and IE by Anonymous Coward · 2012-09-03 22:36 · Score: 1
  
  They're doing it wrong, the correct security implementation is a warning prompt for the user.
31. Re:Chrome and IE by nomaddamon · 2012-09-03 22:45 · Score: 3, Informative
  
  In some cases, data-URI might be still faster (though less bw-effective), i.e if you take the original example and account for 54ms latency (3way handshake+initial response packet) then reloading the page (with all images cached) would take 0,054*20=1,08s since a query to the server for each image is still required
  
  When using high-latency - high-throughput connection (i.e. mobile, satellite) then data-URI will be a lot faster than caching.
32. Re:Chrome and IE by Anonymous Coward · 2012-09-03 22:52 · Score: 1
  
  WRONG! "Has a limit to data URIs" is not a security feature, it's just poor implementation. Not redirecting to data URIs is a feature, as evidenced by ERR_UNSAFE_REDIRECT code.
33. Re:Chrome and IE by e70838 · 2012-09-03 22:53 · Score: 2
  
  I never click on a shortened URL. Maybe I am too old :-(
34. Re:Chrome and IE by Tom · 2012-09-03 23:00 · Score: 1
  
  Interesting. Then Wikipedia and TFA are at odds regarding their claims regarding IE data support. Thanks for the correction.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
35. Re:Chrome and IE by Anonymous Coward · 2012-09-03 23:01 · Score: 0
  
  2 minor points: extracting data URI from canvas is standard API, no need for libraries and Google proposes download="" attribute to give preferred filename for <a> tag.
  Still, recent browsers have FileWriter API, so this use-case of data: URIs is only relevant to older browsers.
36. Re:Chrome and IE by someones · 2012-09-03 23:56 · Score: 2
  
  Your argument is invalid.
  Most of us are using http1.1 which has connection keep alive.
  That would make your example 0.80625 seconds where uris would still need 1,07 seconds.
  Also if you live somewhere where you need 25ms for a tcp handshake to complete, consider changing your ISP.
37. Re:Chrome and IE by Ambassador+Kosh · 2012-09-04 00:27 · Score: 5, Informative
  
  The best use case I know of is to inline all your small images you use for styling the site in the master stylesheet for the website. This way you only have one request instead of the hundred plus that many sites have.
  Based on some tests I have done on many sites the vast majority of the time is spent on just getting 304s back on all the resources that have not changed. Inlining those small images can save 90% or more of the page load time.
  
  --
  Computer modeling for biotech drug manufacturing is HARD! :)
38. Re:Chrome and IE by Anonymous Coward · 2012-09-04 00:32 · Score: 0
  
  What are some benevolent use cases of these data URIs that justify supporting them? I'm not baiting you, just ignorant and curious.
  CSV export of dynamically rendered table data that's already in the browser.
39. Re:Chrome and IE by RobbieThe1st · 2012-09-04 00:36 · Score: 3, Informative
  
  It would block proxy filters and adblockers, /if/ the ads were kept onsite(which is one of the main problems with most ads today - loading them from offsite takes ages). Otherwise, any browser-based tools will simply treat it like a image/object from the page which can then be blocked accordingly. It will be loaded, but the extra KB or so in the single main page request won't really affect load time on anything but dialup, and the time will be far less than if the image was seperate.
40. Re:Chrome and IE by RobbieThe1st · 2012-09-04 00:39 · Score: 1
  
  Only until you create rules for blocking that include it; it won't prevent the ad from /loading/, but it can stop it from displaying. And this sort of ad wouldn't allow for load tracking specifically, so it wouldn't matter - you're loading the mainpage anyway, right?
41. Re:Chrome and IE by Anonymous Coward · 2012-09-04 00:45 · Score: 0
  
  Right, I needed an unsupported file format, so I had to resort to an encoder written in Javascript instead of using a built-in encoder. The download attribute is nice, but apparently it's not widely supported. Neither is the FileWriter API.
42. Re:Chrome and IE by TheMMaster · 2012-09-04 00:53 · Score: 0
  
  And we all know that that software is entirely static and won't ever get updated to support data uris before they are in widespread use.
  Good catch sir!
  
  --
  Fighting for peace is like fucking for virginity
43. Re:Chrome and IE by Anonymous Coward · 2012-09-04 01:06 · Score: 0
  
  I stand corrected. Unlike reading files, FileWriter is supported only by 3 browsers now (2 of which are Chrome), so legitimate use for data: isn't yet going anywhere.
44. Re:Chrome and IE by The+MAZZTer · 2012-09-04 01:06 · Score: 2
  
  If your webserver supports GZIP compression in HTTP responses the difference might not be too bad.
45. Re:Chrome and IE by The+MAZZTer · 2012-09-04 01:14 · Score: 1
  
  Chrome uses data uris internally for inline background-images in CSS.
  Webpages can use them for similar purposes. One less resource to query for.
  They can also be used to easily construct files for the user to download, then you can stick them in a data uri and present them to the user as a link, or navigate to a data uri to force a download or display the resource to the user.
46. Re:Chrome and IE by macraig · 2012-09-04 01:17 · Score: 1
  
  It's not at all nice to deliberately misframe the comments of another merely to create an artificial opportunity to mock him. You're being a tool, and not the useful kind.
  I said it was a WORRY that it COULD be used that way. I said nothing at all about whether I thought such extensions and proxies could be updated to compensate, and I said nothing about it because I don't actually know that to be the case with any authority; for all I know it might not even be possible to intercept such repackaged elements. I also don't know with any authority that it ISN'T the case... I SIMPLY DON'T KNOW and thus didn't address it. Then you came along gunning for an opportunity to make yourself feel superior and decided to manufacture an opportunity out of thin air. You help no one with that bullshit, least of all yourself.
47. Re:Chrome and IE by macraig · 2012-09-04 01:26 · Score: 1
  
  Any relation to account 527904? Hope not. That one's a tool.
48. Re:Chrome and IE by Lazy+Jones · 2012-09-04 01:49 · Score: 1
  
  1,08s since a query to the server for each image is still required
  
  That's not the case if the images came with an "Expires" header or similar, browsers will just reuse them without any network operation. You can verify this with all the built-in header/network debugging facilities in major browsers.
  
  --
  "I love my job, but I hate talking to people like you" (Freddie Mercury)
49. Re:Chrome and IE by Anonymous Coward · 2012-09-04 01:51 · Score: 1
  
  That's why you put the data URIs in an external CSS file. Then they're cached with the rest of the CSS that is only referenced by each page. OTOH most web designers use sprite collections (many small images combined into one file, separated by CSS). That's even faster, as it doesn't incur the base64 encoding overhead and only needs one additional HTTP request (one for the CSS plus one for the image collection, instead of just one for the CSS).
50. Re:Chrome and IE by dkf · 2012-09-04 01:54 · Score: 1
  
  Embeding all images in original document using data URI's (~1.37x overhead to data size but no latency impact), the site will download in 10*100*1,37/1280 = 1,07 seconds
  
  The size overhead would be likely not much of an issue; the data URIs would compress quite reasonably back down to something close to the originating data size (assuming a compressed data format, of course, but that's the overwhelmingly common case). Reworking the math to allow for the compression takes the download time estimate back to 0.78s; that's about ~40% faster, not ~20% faster as you had worked out.
  On the other hand, I suspect your calculations are an oversimplification anyway due to the fact that a full TCP initiation handshake isn't required for every image due to connection reuse and pipelining, and there's the possibility to do parallel downloading of the containing document (through use of the HTTP Range header) and so on. Plus there's the effect of caches, and using CSS sprites to reduce the per-image overhead, and a whole bunch of other things that I can't think of right now. But data URLs can most certainly be part of the mix.
  
  --
  "Little does he know, but there is no 'I' in 'Idiot'!"
51. Re:Chrome and IE by MightyYar · 2012-09-04 02:06 · Score: 1
  
  You could also stitch all the images together in a grid and then use CSS to display different portions of the same image. JQuery does this for widgets.
  
  --
  W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
52. Re:Chrome and IE by SQLGuru · 2012-09-04 02:10 · Score: 1
  
  If the server side code pulled the ads and the page was dynamically generated, you'd have the "best" of both worlds. Unblocked ads that weren't stored locally.
53. Re:Chrome and IE by CastrTroy · 2012-09-04 02:29 · Score: 1
  
  Or consider changing the speed of light. If you live 1/2 way around the world from the server, it would take 133 ms just for a single round trip. And that's only taking into account the speed of light, and not counting real world scenarios. In the real world, you effectively have to double that, giving you about 266 ms just for a single ping. tcp handshake is a little more complex. Even New York to Los Angeles is about 4000 km, which would give a theoretical minimum ping time of 26.8 ms.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
54. Re:Chrome and IE by Anonymous Coward · 2012-09-04 02:33 · Score: 1
  
  SPDY can actually push content to the browser without waiting for requests. So you can push all the images that the client will need to display the document without waiting for the client to parse the document and make requests.
55. Re:Chrome and IE by sootman · 2012-09-04 03:50 · Score: 2
  
  And they're AWESOME for packing a few small images into a CSS file to save round-trips to the server and make life MUCH better on mobile devices with high latency.
  
  --
  Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
56. Re:Chrome and IE by Lennie · 2012-09-04 04:27 · Score: 1
  
  Ads are always loaded from other domains, don't worry about that.
  
  --
  New things are always on the horizon
57. Re:Chrome and IE by Lennie · 2012-09-04 04:29 · Score: 1
  
  What they usually do is create one CSS-file with all the smaller images included. The CSS-file can be cached, but still saves a whole bunch of requests for small images.
  
  --
  New things are always on the horizon
58. Re:Chrome and IE by Lennie · 2012-09-04 04:30 · Score: 1
  
  The biggest problem with TCP is False Start, but which means many small HTTP-requests will still be a lot slower than sending one large HTTP response.
  
  --
  New things are always on the horizon
59. Re:Chrome and IE by Ambassador+Kosh · 2012-09-04 04:30 · Score: 1
  
  The problem I ran into is that in practice people rarely actually use expires. They just let their web framework send a 304 when the browser checks. Also if you use expires it makes things more complex since if you change the image the new information does not show up instantly.
  Mostly though the problem is very very crappy web frameworks.
  What I do is set the expires etc stuff to 30 years or so and then I change the urls to the images whenever the image changes. That works insanely well since everything caches it correctly but you still see changes instantly.
  
  --
  Computer modeling for biotech drug manufacturing is HARD! :)
60. Re:Chrome and IE by Lennie · 2012-09-04 04:31 · Score: 1
  
  Many do both, include the sprite (as such a grid is called) in a CSS-file, the CSS-file is referenced on many pages on the site.
  
  --
  New things are always on the horizon
61. Re:Chrome and IE by Lennie · 2012-09-04 04:33 · Score: 1
  
  No worries, IE still supports MHTML which doesn't have the lenght limit.
  
  --
  New things are always on the horizon
62. Re:Chrome and IE by Anonymous Coward · 2012-09-04 04:42 · Score: 0
  
  Won't stop a custom hosts file user. They cut off ads from their originating source domains and at the most efficient level possible: Ring 0/RPL 0/kernelmode, acting as a filter for the IP stack itself (unlike other solutions that operate layering in more complexity in usermode/Ring 3/RPL 3 in webbrowser addons OR separate programs running in usermode entirely).
63. Re:Chrome and IE by Anonymous Coward · 2012-09-04 07:40 · Score: 0
  
  If he had said something positive about Chrome you would be claiming it was astroturfing.
  Your bias is showing.
64. Re:Chrome and IE by Anonymous Coward · 2012-09-04 07:43 · Score: 0
  
  http://an.al/jU1c3
65. Re:Chrome and IE by loufoque · 2012-09-04 08:39 · Score: 1
  
  Are you crazy? 25ms is very fast for a tcp handshake.
66. Re:Chrome and IE by Crudely_Indecent · 2012-09-04 09:56 · Score: 1
  
  It's convenient to put a black-and-white low-res placeholder image on a page using a data uri, so the area of the page where the full-resolution image will eventually be placed isn't blank while waiting for the much larger image to download.
  
  --
  
  "Lame" - Galaxar
67. Re:Chrome and IE by courtarro · 2012-09-04 11:44 · Score: 2
  
  To solve this latency problem, most well-designed websites use a single large GIF or PNG for all their tiny CSS images, then slice the image to indicate each independent icon, border, etc. This not only reduces the total image overhead but also greatly reduces the total number of 304s to receive.
  Example: one of Facebook's icon resource files
68. Re:Chrome and IE by hennikl · 2012-09-04 18:13 · Score: 1
  
  The security feature in Chrome is that redirection to data URIs are disallowed. Not data URIs themselves. If you enter a data URI into the address field, or is linked to one directly, without redirection, it works.
69. Re:Chrome and IE by Anonymous Coward · 2012-09-04 18:16 · Score: 0
  
  I'm not surprised to see the astroturfing come in so quickly, either.
  Someone said something positive about something to do with Microsoft, SHILL SHILL ASTROTURF! ...sounds more like google employees getting on to anything positive regarding MS and calling it astroturfing or shilling.
70. Re:Chrome and IE by SharpFang · 2012-09-04 18:22 · Score: 1
  
  The problem is advertizers don't trust their customers not to cheat. What's to stop you, a site owner, from requesting the ad a billion times and sending it to /dev/null?
  Only a customer-originated request hitting your adserver assures the customer got the ad.
  Then, client-side adblocks would still be able to block the ads...
  For me,the greatest yet-unrealized advantage of data URIs is what the article lists as its disadvantage: ability to easily integrate rich user content, without need to upload it to some servers. Posting an image to a forum? Don't upload it to imageshack or other services that will delete it in a month. Don't have a fancy system of uploading to the forum host. Simply have some javascript create your [IMG]data:image/jpeg,base64;86fciyitv==[/IMG] and hide the actual base64 content in the message typing preview.
  
  --
  45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Something like this was in Old IE 4 by Anonymous Coward · 2012-09-03 19:19 · Score: 0

I reported a bug in IE4, where I could basically make a URL:
About://HTML
and the HTML was replaced with whatever I wanted.
It took a couple versions but apparently they fixed it.
In other words... by c0lo · 2012-09-03 19:29 · Score: 1, Insightful

In other words, IE and Chrome do not implement the data URI to the specification.
Lucky them, they can pose now as "more secure".

--
Questions raise, answers kill. Raise questions to stay alive.
1. Re:In other words... by Anonymous Coward · 2012-09-03 20:09 · Score: 1
  
  reading more of the paper, it is more a case of both IE and Chrome have additional security mechanisms around Data URI's, not an issue with them not implementing them.
2. Re:In other words... by BuypolarBear · 2012-09-03 20:10 · Score: 1
  
  Hey now, as Steve Jobs will tell you, that's a feature.
3. Re:In other words... by bloodhawk · 2012-09-03 20:11 · Score: 4, Informative
  
  nope, it appears to be that both Chrome and IE have other protections around Data URI's, they both implement them. Chrome does it by preventing redirections.
4. Re:In other words... by furbearntrout · 2012-09-03 20:14 · Score: 3, Interesting
  
  In other words, IE and Chrome do not implement the data URI to the specification. Lucky them, they can pose now as "more secure".
  I actually read TFS(TFRFC?). IIRC, the standard doesn't specify that an application honor redirects. It would depend on your interpretation of
  
  "the same security considerations as any implementation of the given media type."
  The passage seems to imply a "default deny" approach.
  
  --
  Crap. What did the new CSS do with the "Post anonymously" option??
5. Re:In other words... by micheas · 2012-09-03 20:20 · Score: 2
  
  If I understand the situation correctly, the situation is that tiny url returns a redirect to a data URI.
  IE and Chrome do not forward from an external URI to a data URI, which considering that the point of data URI's is to reduce http requests, this seems somewhat reasonable.
  It seems to me that the core problem is cross domain 30x redirects being transparent in browsers.
  
  --
  Work bio at MMWD
6. Re:In other words... by Anonymous Coward · 2012-09-03 21:25 · Score: 0
  
  IE and Chrome do not forward from an external URI to a data URI, which considering that the point of data URI's is to reduce http requests, this seems somewhat reasonable.
  Reducing HTTP requests isn't the only use case. In the past, I have specifically allowed data URLs in shorteners (protocol whitelist). Encoding then pasting the result into a web page can be much faster than uploading to a web server, much safer than entering server login credentials if you're using a 3rd party machine.
  The sane thing to do would be a warning dialogue; "you are being redirected to a dataURL". With the requisite "do not show this warning again" checkbox.
7. Re:In other words... by jonadab · 2012-09-04 02:23 · Score: 1
  
  > It seems to me that the core problem is cross domain
  > 30x redirects being transparent in browsers.
  
  I'll buy that. Every single use of it that I have ever seen could reasonably be classified as abuse. That goes double for URL-obscuring^H^H^H^H^H^H^H^H^Hshortening "services".
  
  --
  Cut that out, or I will ship you to Norilsk in a box.
8. Re:In other words... by Anonymous Coward · 2012-09-06 13:51 · Score: 0
  
  This author's document does not even reference the source of his data: www.sans.org/reading_room/whitepapers/.../base64-pwned_33759. Shame
9. Re:In other words... by Anonymous Coward · 2012-09-06 13:54 · Score: 0
  
  sorry, 1st time responder here!! the full non-Google-ized link is: http://www.sans.org/reading_room/whitepapers/auditing/base64-pwned_33759.
Underlying Operating System ... by dgharmon · 2012-09-03 19:30 · Score: 1

How do these malicious URIs get access to the underlying Operating System?

--
AccountKiller
1. Re:Underlying Operating System ... by Anonymous Coward · 2012-09-03 19:42 · Score: 0
  
  import os
2. Re:Underlying Operating System ... by Tom · 2012-09-03 19:55 · Score: 5, Informative
  
  They don't. It's a phishing attack, its intent is to get you to enter your password to some interesting site on a fake of that site. Afterwards, they'd redirect you to the real one or show a bogus error message, and then loot your account there.
  One attack vector against phishing attacks has been to take the site down where the fake is hosted. If the bad guys don't have to host the fake anymore because it is entirely self-contained in the phishing mail you send out through their botnet, then there is one less thing we can do against phishing.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
3. Re:Underlying Operating System ... by Anonymous Coward · 2012-09-03 19:59 · Score: 0
  
  So, the first thing we did against phishing is still working...
  Don't click on random links in emails. And if you do anyway, DON'T F*KING ENTER YOUR CC NUMBER.
4. Re:Underlying Operating System ... by Tom · 2012-09-03 20:32 · Score: 2
  
  So, the first thing we did against phishing is still working...
  No, it isn't. For a lot of people it doesn't. It may work for you and me because we understand the technology, but it doesn't for millions of users who don't.
  The issues in phishing are multiple - I've given speeches about some of them - and "don't click those links" as a "solution" is about as good as telling smokers to "just quit already" - there is a small fraction on which that actually works, but for most people it doesn't.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
5. Re:Underlying Operating System ... by Anonymous Coward · 2012-09-03 22:03 · Score: 0
  
  If it didn't work, we wouldn't use it.
  Yes, it works. That some people refuse to use that method, doesn't mean that it doesn't work.
  Your claim is just as stupid that claiming that German cars don't work, because I don't own one.
6. Re:Underlying Operating System ... by Robert+Zenz · 2012-09-03 22:34 · Score: 2
  
  No, it isn't. For a lot of people it doesn't. It may work for you and me because we understand the technology, but it doesn't for millions of users who don't.
  People who are falling for E-Mail scam would also fall for it they'd receive it via mail, or get a phone call...or if you suddenly stand at their doorstep. Heck, some of them even would fall for it if you talk to them in a public park.
7. Re:Underlying Operating System ... by Tom · 2012-09-03 22:59 · Score: 3, Insightful
  
  If it would work, we would see a considerable decline in phishing activities and success, because we (i.e. the IT security industry) have been telling that line to users for about a decade now.
  All the statistics I have available show no such decline. The Verizon data breach report is publicly available and has been saying on and off for many years that phishing is still an issue, is getting bigger, is not decreasing as much as everyone had hoped, etc. etc.
  Fact: Phishing still works enough to be a big industry.
  Fact: We've been saying "don't click on e-mail links" to users for 10+ years.
  Fact: The IQ 100 median norm has slightly increased during that time.
  Conclusion: People are dumb is not a sufficient answer.
  Addendum: Humanity has used lots and lots and lots of stuff in its history that didn't work. Raindances, homeopathy, coins for the ferryman, need I go on?
  
  --
  Assorted stuff I do sometimes: Lemuria.org
8. Re:Underlying Operating System ... by arth1 · 2012-09-03 23:19 · Score: 1
  
  People who are falling for E-Mail scam would also fall for it they'd receive it via mail, or get a phone call...or if you suddenly stand at their doorstep. Heck, some of them even would fall for it if you talk to them in a public park.
  This is obvious. What's not so obvious is that we collectively, if not individually, encourage this behavior. We made "network" into a verb. We allowed "inherited trust" (like "friends of friends"). And we advocated antivirus and firewalls as a solution, not a remedy.
  And we don't punish them, or allow them to be punished for their crimes when their machines spew out spam or attempt to infect others with viruses. No, then we call them "victims". We don't call fences or johns "victims", do we?
  By pandering to the unprotectable, we will in the long run harm ourselves. There's little reward for being security conscious and network conscientious. There isn't enough impact for evolution to select against the ignorant and for those who exercise common sense, because we protect and pander to the ignoramuses as much as we can.
  Mind, this isn't just a computer and Internet phenomenon. Look at a modern car. Not only does it parallel park for you, but it breaks if you get too close to the car in front, beeps or vibrates the steering wheel if you cross a yellow line or the speed limit, and monitors your eyes to wake you up if you drowse.
  This won't fix the main problem, which is careless drivers. If anything, it will shape even less careful drivers who will be even more dangerous if they ever get into a car without these support wheels.
  Similar for the PC and Internet. Our pampering of the careless and ignorant leads to a breed of users that are even more stupid than before. Put them on a machine without all the protections, and they will be even more a danger too.
  Can we please start fining a lack of common sense? So these people at least pay for all the extra costs to society, and evolution can slowly start selecting against them?
9. Re:Underlying Operating System ... by arth1 · 2012-09-03 23:21 · Score: 1
  
  but it breaks if you get too close to the car in front
  While they have brought back the Dodge Dart, I really meant "brakes" here...
10. Re:Underlying Operating System ... by Robert+Zenz · 2012-09-04 00:01 · Score: 1
  
  That's exactly my point. OP made it sound like it would be a problem with the technology...which it isn't.
  
  Can we please start fining a lack of common sense? So these people at least pay for all the extra costs to society, and evolution can slowly start selecting against them?
  THIS!
11. Re:Underlying Operating System ... by Anonymous Coward · 2012-09-04 02:20 · Score: 0
  
  Stop wasting your breath, and relieve them of their money already:
  1. peddle them a websence license ( use unnecessary F.U.D if necessary )
  2. configure the currently known bad sites list
  3. bill them $$$ ...
  4. update the list and bill them again
12. Re:Underlying Operating System ... by Anonymous Coward · 2012-09-04 02:56 · Score: 0
  
  Your conclusion is flawed in that you assume smart people participate in dumb activities, such as falling victim to phishing scams, to a great enough degree to appreciably impact your data regarding user education. You would see no decline, for instance, if the vast majority of smarties have already adopted the "don't click that" mentality, rendering "people are dumb" essentially correct, though your point that user education is /not/ the answer would still stand for exactly that reason.
13. Re:Underlying Operating System ... by mcgrew · 2012-09-04 03:08 · Score: 1
  
  Look at a modern car. Not only does it parallel park for you, but it breaks if you get too close to the car in front
  Man, your car sure is poorly engineered. You have to see a mechanic every time you get too close to another car?? I think I'd trade that clunker in!
  
  --
  Free Martian Whores!
14. Re:Underlying Operating System ... by Tom · 2012-09-04 08:52 · Score: 1
  
  As a matter of fact, at least one study concluded that IT professionals score only marginally better at phishing detection than average users (within the margin of error, I believe), and IT security professionals just slightly better again.
  It's not a matter of "we are doing it right, they are stupid".
  Your counter-argument is flawed because it does ignore the emergence and education of new users, which due to the constant growth of Internet access has been a major factor that you can not ignore.
  User education, at least as it is being done at this time, is deeply flawed and very inefficient. It is not entirely ineffective, but the amount of effort compared to the gain is ridiculous. I am aware that many people in the industry disagree with me. Interestingly, most of them have things like "user awareness training" in their portfolio. It's a great money-maker, exactly because it is inefficient and because it needs to be repeated regularily, etc. etc.
  Same for Phishing. "tell the user to ..." shifts blame, saves us from doing any actual research and allows us to sell overpriced, inefficient training courses.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
15. Re:Underlying Operating System ... by Jonner · 2012-09-04 08:59 · Score: 1
  
  How do these malicious URIs get access to the underlying Operating System?
  If you'd read TFA, you'd know this is potentially useful as part of a phishing attack to fool users supplying private data such as login credentials to an attacker. It is not a vulnerability in any browser.
16. Re:Underlying Operating System ... by Tom · 2012-09-04 08:59 · Score: 1
  
  Can we please start fining a lack of common sense? So these people at least pay for all the extra costs to society, and evolution can slowly start selecting against them?
  Part of it is common sense, part of it is bad design and bad technology and lots and lots of bad on our end.
  I have a nice slide that I use in my presentations on the subject. I don't think I need it here on /. - picture your typical phishing e-mail displayed in your typical e-mail app. Here's your problem:
  Everything that invites you to click on that link, fall for that scam, make that mistake, is in the center of your field of vision, big, in colour, drawing your attention. Psychology at work.
  Everything that warns you about impeding doom, informs you about what's going on and helps you steer clear of that danger is small, black-on-grey or otherwise inconspicuous, at the edge of the window if it isn't outright hidden.
  There's your problem. In your normal operating modus, where you don't suspect someone is trying to scam you, where your mind is on other things, your problem is in your mind, not in the computer. Phishers know that and exploit it. Telling users to "not click those links" is like telling a hungry kid in a candy store to ignore all the sweets. It ignores basic facts of human signal processing.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
News? by Anonymous Coward · 2012-09-03 19:47 · Score: 0

I really wonder about the quality of new papers. There is no new attack vector. It is still phishing. It doesn't matter if the page is loaded from the phishing mail or from another server. I think it is harder to spot a typo in the domain than spotting the data line address.
Also it doesn't matter how you load the phishing website. If you clicked the link in the mail you are either curious to investigate or deserve to fall for it.
Wonder if this works on /. by Sqr(twg) · 2012-09-03 19:47 · Score: 3, Funny

Testing if I can embed
1. Re:Wonder if this works on /. by Sqr(twg) · 2012-09-03 19:53 · Score: 2
  
  Nothing seems to happen if I click on the link with firefox. However, I do get to the spoof page if I manually copy the link location and paste it in the address bar.
2. Re:Wonder if this works on /. by n30na · 2012-09-03 20:00 · Score: 1
  
  in chrome, it doesn't work at all.. just can't load page, even if copied to url bar manually. In firefox, clicking the link does nothing, while if copied to the url bar, it would appear that firefox tries to google it.
3. Re:Wonder if this works on /. by game+kid · 2012-09-03 20:05 · Score: 4, Interesting
  
  A view-source shows Slashdot transmits the link as data:texthtmlbase64[rest of data], instead of, say, data:text/html;base64;[rest of data], and that change probably breaks the link if the browser didn't already. I'm quite disturbed that /. allowed the [rest of data] anyway (and gave you the legendary Long Comment Modifier for it!), though.
  Indeed, nothing (visible) happens on link click here (probably due to that change) in the latest Nightly or IE9, but make sure your blogs disallow data URIs (or gives them a mighty security check) in public comment sections and such.
  
  --
  You can hold down the "B" button for continuous firing.
4. Re:Wonder if this works on /. by Sqr(twg) · 2012-09-03 20:08 · Score: 2
  
  Nope. Apparently "copy location" doesn't work either. Firefox silently left the clipboard unchanged. (I just happened to already have the URI there from copying it into my previous post.)
  Slasdot does include the data URI in the HTML, but firefox seems to be immune to it.
  (Why doesn't slashdot allow editing of posts?)
5. Re:Wonder if this works on /. by Anonymous Coward · 2012-09-03 21:04 · Score: 0
  
  Slashdot mangles data URIs. You can still use some anonymous redirection services to get around the restriction: Don't click here
6. Re:Wonder if this works on /. by Vintermann · 2012-09-03 22:14 · Score: 2
  
  Why doesn't slashdot allow editing of posts?)
  Same reason slashdot doesn't allow unicode: it's based on really old software.
  
  --
  xkcd is not in the sudoers file. This incident will be reported.
7. Re:Wonder if this works on /. by Anonymous Coward · 2012-09-03 23:03 · Score: 0
  
  "(Why doesn't slashdot allow editing of posts?)"
  
  Because the error ridden nature that makes us all cringe, oft times results in very humorous and entertaining reading. Allowing the editing after the post would change things and the whole reason for reading Slashdot would disappear in the dust. Everyone would spend time thinking about what they are saying instead of just sticking their foot in it.
  Do you really think that us anon cowards are really here for any other reason? Other than posting rhetorical questions like this one and constantly commenting about the illiterate state of computer users?
  The other reason post editing is not allowed is that there is not enough time in the universe to edit some of the posts on this forum especially ones alluding to Internet Explorer being more secure than Firefox. The way this thread is turning out. I come here to read the nonsense and only on occasion do I find enlightenment but I always find my sides splitting at what happens when articles about user security are discussed.
8. Re:Wonder if this works on /. by mcgrew · 2012-09-04 05:48 · Score: 2
  
  (Why doesn't slashdot allow editing of posts?)
  Because then you could post an insightful comment, get a +5, and edit it to be Goatse and GNAA. Or you could say something REALLY stupid, and when corrected, edit it to make whoever corrected your stupidity look stupid himself.
  Your editing options are the "preview" button.
  
  --
  Free Martian Whores!
9. Re:Wonder if this works on /. by trytoguess · 2012-09-04 08:15 · Score: 1
  
  Slashdot could make it impossible to edit your post if you get a moderation or a comment. It'd be better than nothing I think.
Can anyone explain to me why this is worse than by Chrisq · 2012-09-03 19:49 · Score: 2

Can anyone explain to me why this is worse than serving up the same "malware" on a web page instead of a data URL? The screenshot in the paper clearly shows the url starting "data:text/hml;" instead of http://en.wikipedia.org/ so surely it is just doing the same thing as if I hosted a mock wikipedia login on "mysite.com" - and is a lot less likely to fool people than if I used a domain like wikipediaLogin.com
1. Re:Can anyone explain to me why this is worse than by Sqr(twg) · 2012-09-03 19:58 · Score: 3, Interesting
  
  It is worse because you can embed the entire spoof in link-spam, and thus have no need for a domain that could be blacklisted, shut down by authorities, or traced back to you.
2. Re:Can anyone explain to me why this is worse than by Chrisq · 2012-09-03 20:23 · Score: 1
  
  Fine for denial of service or such, but for harvesting it still has to get back to you somehow
3. Re:Can anyone explain to me why this is worse than by ArsenneLupin · 2012-09-03 20:46 · Score: 1
  
  Theoretically, the phishing page could post the submitted data to some pastebin page (or similar service)
4. Re:Can anyone explain to me why this is worse than by someones · 2012-09-03 23:59 · Score: 1
  
  or be served from there?
5. Re:Can anyone explain to me why this is worse than by ArsenneLupin · 2012-09-04 00:08 · Score: 1
  
  it would have the wrong mime-type (text/plain instead of text/html)
6. Re:Can anyone explain to me why this is worse than by squiggleslash · 2012-09-04 01:21 · Score: 1
  
  OK, talk me through this. I want to steal a credit card number, Amazon login, or person's favorite color, using this technique. To prevent myself from being shut down before I can harvest the information, I encode the entire form, designed to look like my bank's home page/Amazon.com's login page/MyFavoriteColor.com, as a data: URI. The user enters the information into the dubious form and clicks "Submit".
  ...what then? How does the information get back to me without a domain that can be blacklisted?
  
  --
  You are not alone. This is not normal. None of this is normal.
7. Re:Can anyone explain to me why this is worse than by cryptizard · 2012-09-04 01:47 · Score: 1
  
  Sends it to you through a chain of anonymous remailers.
8. Re:Can anyone explain to me why this is worse than by Sqr(twg) · 2012-09-04 02:59 · Score: 1
  
  The data you harvest is encrypted and posted as a comment on the same page where you stored the data URI, or sent to some irc channel, or to any of a million places on the internet that accepts data from a POST form and displays the result publicly.
9. Re:Can anyone explain to me why this is worse than by squiggleslash · 2012-09-04 05:24 · Score: 1
  
  How do you access the remailer from a webpage? At best you'd be able to insert a "mailto:" link and have the user manually approve the email to send!
  
  --
  You are not alone. This is not normal. None of this is normal.
10. Re:Can anyone explain to me why this is worse than by squiggleslash · 2012-09-04 05:31 · Score: 2
  
  OK, let's go through the options:
  1. Email. You receive email. You click on data: link. Where does phishing form send your crap to?
  2. Forum. You see a message on a forum requesting you log in to Amazon and re-enter your credit card. Wait. What? Anyway, this then takes advantage of the fact it's on a forum, a forum that doesn't have any CAPTCHA type stuff to prevent posting a new message, and nobody notices (a) the original post and (b) the information being posted back to the forum.
  3. One of the other sites on the Int...
  Look, either way, it's sending data that can be blocked. There's little or no difference between this and just getting a throwaway domain and sending people to that.
  I'm trying desperately to find an advantage. One where someone can use this to circumvent the need to have a server that can be shut down. All the ways in which data is passed back require a server that can be shut down. It might not belong to the phisher (but they're already running botnets and stuff, right?) but it needs to exist.
  
  --
  You are not alone. This is not normal. None of this is normal.
11. Re:Can anyone explain to me why this is worse than by cryptizard · 2012-09-04 06:28 · Score: 1
  
  This technique lets you put arbitrary javascript in the page. I imagine there is some webmail with an exposed API you would be able to invoke via XMLHTTPRequest.
12. Re:Can anyone explain to me why this is worse than by Anonymous Coward · 2012-09-04 11:39 · Score: 0
  
  1. Anywhere it wants. It can be a third-party service like Pastebin, or the traditional foreign domain, or sent into the botnet herd where it eventually finds its way back to the C&C server. You are, after all, in full control of the HTML and JS being served.
  2. More realistically, it would be in the form of a private message in that forum poised to spear-phish information like user password. Alternatively, it could be a standard "check out this vid" link which attempts to load some sort malware on the users computer.
  3. No, it cannot necessarily be blocked. With traditional phishing pages there was an actual domain, a physical location on the internet that can be removed or blocked. In this attack, you are removing the ability for people to blacklist or takedown your site, because the site is built from the URI itself.
  There are numerous ways, perfectly legal ways, in which this data can be propagated from the victim to the attacker. Namely, it is through any number of legitimate third party APIs. In this scenario, you can not (or rather, should not) take down the APIs, as they are only providing a service. This attack dramatically lowers the bar on phishing attacks because it no longer requires owning your own domain or finding an injection vulnerability on the victim domain.
But the URL will still not be your bank! by Ash+Vince · 2012-09-03 19:49 · Score: 1

This might technically be a phishing exploit but you would have to be pretty stupid to fall for it still as the address bar at the top of the page would not be your banks a web address.

--
I dont read /. to RTFA, I read /. to offend people in ignorance.
1. Re:But the URL will still not be your bank! by John+Hasler · 2012-09-04 00:45 · Score: 1
  
  > ...you would have to be pretty stupid...
  So it only works on half the population.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
2. Re:But the URL will still not be your bank! by Ash+Vince · 2012-09-04 07:07 · Score: 1
  
  > ...you would have to be pretty stupid...
  So it only works on half the population.
  Good point.
  
  --
  I dont read /. to RTFA, I read /. to offend people in ignorance.
And then what? by Hentes · 2012-09-03 19:50 · Score: 1

So I click on a link and a page loads, as expected. What happens then? How does that page compromise my browser?
1. Re:And then what? by bloodhawk · 2012-09-03 20:25 · Score: 2
  
  It doesn't compromise your browser, it simply allows unsuspecting users to be tricked. hence why it is a phishing vulnerability e.g. a link supposedly to your bank login page, the page looks identical to your bank login page but sends the details to the link authors server where they can harvest your credentials to later empty your bank account while all the time appearing that you clicked on a valid link if you were not paying attention.
2. Re:And then what? by Hentes · 2012-09-03 21:55 · Score: 1
  
  But you don't need a data URI for that. I just don't see how using this achieves anything more than a traditional link. It won't be able to fake certificates and the URI will look very suspicious.
3. Re:And then what? by Anonymous Coward · 2012-09-04 00:11 · Score: 0
  
  But you don't need a data URI for that. I just don't see how using this achieves anything more than a traditional link. It won't be able to fake certificates and the URI will look very suspicious.
  See http://yro.slashdot.org/comments.pl?sid=3091769&cid=41220309
gusess what by Chrisq · 2012-09-03 19:50 · Score: 0, Troll

I'm not surprised to see IE ranking well.
I have a piece of shit in my toilet bowl that ranks just as well in this case. It too is incapable of opening data URLs
Works fine in Chrome with two caveats by Anonymous Coward · 2012-09-03 20:14 · Score: 0

Caveats:
1) Chrome doesn't seem to work with base64 encoding in the data URI scheme.
2) Chrome appears to have a length limit for page data. I was able to get about 11502 characters of URI encoded text rendered. That works out to 7717 characters of HTML in my test case.
JUST USE BIT.LY AND YOU ARE SAFE !! by Anonymous Coward · 2012-09-03 20:54 · Score: 0

Because those are sooo short !!
I'll take what's behind door #2, Monty !!
Works in chrome by Anonymous Coward · 2012-09-03 21:02 · Score: 0

Open the url in Chrome. Fails.
Now do Refresh. Voila!
So if someone can embed a refresh, haha.
hmmm by ixuzus · 2012-09-03 21:15 · Score: 1

I actually went and read the paper that this is supposedly all based on. (I know, it's not the done thing and I apologise) I don't know if it has changed since the other article was written but I couldn't find any reference to Opera or Firefox.

It does mention that Chrome will throw an error but if you hit enter or reload it will work. There is a one sentence reference to the fact that IE has "a limit to URIs". I presume that means a length limit and if so IE is not invulnerable - only the initial payload has to be smaller.

While there is much hand wringing about the fact that it cannot be shut down because there is not central server it is hosted on I don't see it as an issue. For phishing to be effective the stolen data has to actually GO somewhere which probably provides a target that can be shut down. It doesn't matter how long the URI circulates after the target is shut down - all that stolen data is probably going to the great byte bucket in the sky.

I think the more interesting point that the paper made is that phishing sites can effectively be hosted on link shortening services using this method.
NoScript says ... by holle2 · 2012-09-03 22:29 · Score: 1

... in an alert box of it's own:
javascript: and data: URIs typed or pasted in the address bar are disabled to prevent social engineering attacks.
Developers can enable them for testing purposes by toggling the "noscript.allowURLBarJS" preference.
Browsing the Web w/o NoScript is dangerous to the core anyway.
Just my 2cents
- Holger
1. Re:NoScript says ... by Anonymous Coward · 2012-09-04 00:03 · Score: 0
  
  Bump that. Not a shill, just a satisfied user.
How is this an attack? by Anonymous Coward · 2012-09-03 23:54 · Score: 0

You click on a link and it displays the inlined HTML in a browser, exactly as the specification demands. The address bar shows a URL that starts with "data:" instead of "http:" and looks nothing like the URL of the spoofed site. What makes this a vulnerability?
Uri by Anonymous Coward · 2012-09-04 00:28 · Score: 0

Does it also bend spoons?
You can do a lot with a data URI by crumhorn · 2012-09-04 00:31 · Score: 1

If you nest your languages, you can do a remarkable amount in a data URI: here's a Javascript chess-playing app, and an unbounded supply of webpages exploring the Collatz Graph, respectively. I expect you could get a small phishing site (which pulled graphics, etc, from the real thing) done similarly, and there's no server to take down. Writing a viral data URI that mailed itself to your friends might be harder.
1. Re:You can do a lot with a data URI by John+Hasler · 2012-09-04 00:51 · Score: 1
  
  > You can do a lot with a data URI
  But can you do anything actually useful with one? Seems like a poorly thought out idea to me. I see no good reason why anything in a URI should ever be rendered or executed.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
^bump^ by TubeSteak · 2012-09-04 00:49 · Score: 1

Well played Anonymous Coward.
This changes everything
Here's an online Base64 decoder for those unwilling to click the link
http://www.motobit.com/util/base64-decoder-encoder.asp
Don't forget to set it for "decode"

--
[Fuck Beta]
o0t!
The paper by Anonymous Coward · 2012-09-04 02:00 · Score: 0

Well, the paper actually says:

Internet Explorer has a limit to data URIs,
(it does not even end the sentence).
whereas he broadly explains that

In Google Chrome in particular, a control for unsafe redirection is implemented, [...]

That probably means, that the version of IE he used just had a size limit for data URIs, instead of having some "real" security feature implemented.
Therefore he presumably tested his data URI with IE 8, not with IE9.
This works as intended, not an attack by DontLickJesus · 2012-09-04 04:56 · Score: 1

The appropriate url is displayed, data URIs serve a purpose. OP, this is ridiculous. Quit giving this guy a voice.

--
Where genius and insanity become confused true wisdom is found
Security through obesity by Anonymous Coward · 2012-09-04 08:26 · Score: 0

The length of the nal URI is a consequence of the data hidden within.
If the original web page is very large, embedding linked material within may
not be viable.
America has been preparing for this for a long time now... security through obesity.
To clarify by Anonymous Coward · 2012-09-04 10:06 · Score: 1, Insightful

As the author of the paper I feel the need to clarify a tiny point before I fall asleep. Google Chrome is vulnerable, it is only REDIRECTION TO A DATA URI that Chrome sees dangerous and denies. For more details, please contact me on Twitter (@hennikl) or by email (it's in the paper title). I'll try to watch this thread and give more exhaustive answers after some hours of beauty sleep. It seems a lot of the commenters do not grasp the idea completely ;) --Henning Klevjer
To clarify by hennikl · 2012-09-04 11:01 · Score: 4, Interesting

As the author of the cited paper, I feel that I have to clarify a few issues here: As well as Opera and Firefox, GOOGLE CHROME ALSO "suffers" from the ability to host data URIs. It just distrusts being redirected to one. IE (it is said) has a size limit to data URIs of 32 KB. However, in my tests, a ~26 KB URI was tried, unsuccessfully. The data URI phishing pages can be made in many ways, differing in how they use other data. One can make a true offline (or local) version of a web page if all linked content on the page is contained in the "root page" through yet another data URI. If the data URI web pages are presented on a computer running a related trojan program, this program may handle the communication of the "secret information" (credit card #, passwords, etc.). This can be done P2P (as in botnets) thus no need for server infrastructure. Another issue I'm discussing in my paper (http://klevjers.com/papers/phishing.pdf) is that of ownership to the data URI contents. I feel TinyURL unwittingly takes ownership of whatever content that is hosted there, as they store the entire (phishing) web page on their servers.
Re:Inconsistantly Odd Alert by runningduck · 2012-09-04 13:52 · Score: 1

File this one under uninteresting and an obvious forgery.
Technically this is not much different than just hosting a look-alike page to collect passwords. The phishing attack would be much more interesting if the URL wasn't so obviously bogus. According to the paper an attack could use a URL shortener to further hid the obviously odd URI. The problem with this is that the URI attack described in the article requires that you send the URI with payload to the victim. A URL shortener service has no reasonable way to direct the short URL to the crafted URI.
Ironically, using a shortened URL (tinyurl, bit.ly goo.gl etc) would make it easy to hide a real phishing site hosted out on the Internet. To say that this is a security hole is to say that because all browsers allow people to go to sites that can claim to be who they are not all browsers are insecure.

--
-rd
Hack by Anonymous Coward · 2012-09-04 19:22 · Score: 0

So "researcher reveals how a link *itself* can be malicious"?
Really?
And this guy writes about this, and couldn't be bothered to take 5 minutes to put a working clickable example-link online somewhere?
Its the usual "Hackers can write a virus that makes your computer explode!!!!"-BS