Google Patches Chrome Bug That Lets Attackers Steal Web Secrets Via Audio Or Video HTML Tags

An anonymous reader writes: "Google has patched a vulnerability in the Chrome browser that allows an attacker to retrieve sensitive information from other sites via audio or video HTML tags," reports Bleeping Computer. The attack breaks CORS -- Cross-Origin Resource Sharing, a browser security feature that prevents sites from loading resources from other websites -- and will attempt to load resources (some of which can reveal information about users) inside audio and video HTML tags. During tests, a researcher retrieved age and gender information from Facebook users, but another researcher says the bug can be also used to retrieve data from corporate backends or private APIs. Ron Masas, a security researcher with Imperva, first discovered and reported this issue to Google. The bug was fixed at the end of July with the release of Chrome v68.0.3440.75.

Browsers are too complicated and not robust enough

Browsers are too complicated these days and things are not helped by the fact they were not designed with typical engineering discipline in mind.

For example, HTML parsers have a whole set of rules for how malformed input should be handled. There is only one acceptable answer and that is that malformed input should be rejected. That would force people to write correct HTML code (in the same way they are forced to write correct C++ or Python code) and would make parsing more robust.

Things are not helped by an idiotic scripting language in the form of Javascript which did indeed take all the engineering rules - and then promptly threw them away and did the exact opposite.

Certainly for the more critical production uses, we need simple web browsers which implement core functionality and are written in languages and to engineering standards which encourage correct functionality.

mobile firefox + google gmail

Why when I visit gmail with mobile Firefox, does Firefox keep asking for permission for microphone and camera?

Re:mobile firefox + google gmail

Just a guess since I don't use gmail. Probably for that hangouts bullshit.

Re:mobile firefox + google gmail

Because Firefox does not automatically allow anything coming from google.com domain as Chrome does.

Re:Browsers are too complicated and not robust eno

[sexconker]

I propose a new standard for a secure internet markup and programming language engine. SIMPLE. If you want a 4-character file extension, you can go for SMPL.

It'll be secure because it says so right in the name of it.
It'll be for the internet because everything is for the internet, and if it's not someone will take it and put it on the internet anyway.
I'll be both for markup and programming, because apparently that's what we do now.
It'll be both a language and and engine, because we can't seem to separate a language's spec and a given implementation to parse, render, or execute it anymore, and JAVASCRIPT "FOR THE SERVER" IS A FUCKING THING FOR SOME REASON.

Here's the current draft spec:

1: To start off, fuck your encodings and your content types and your character sets. As much as I hate it, we're just gonna fucking use UTF-8 and if your shit don't render fuck you.

2: None of this shit where we allow broken files. If a file isn't properly formatted it is to be considered malicious and outright rejected with no processing. You'll put closing tags for fucking everything and you'll like it. No trailing slash for empty tags. Put a damned closing tag.

3: No fucking cross domain anything. I don't give a shit. If you want your users to see and work with shit from another domain, send them there or rehost that content yourself and take responsibility for it. If you want to read information about your users as seen/set by another domain, go fuck yourself.

4: No persistent cookies or whatever else. Your users can log in and get session cookies, but once the session is gone you're back to square one. If you want to remember shit about them, then fucking store that shit on your server and associate it with their user ID.

5: No god damn auto playing anything without the user's explicit and specific active choice to do that.

6: At no time will a SIMPLE browser expose anything about its user other than what URL the user is requesting, what data the user is actively choosing to submit, and what minimal data the user is implicitly submitting in order maintain a coherent session across requests. No fucking battery API. No fucking list of plugins. No fucking advertising IDs.

8: Other than that it's basically XHTML and oh, let's say ActionScript.

Don't get distracted by developmental methodology.

[jbn-o]

What you need is software freedom: the freedom to run, inspect, share, and modify published computer software. Developmental methodology won't get you the provable security of free software and it won't necessarily get you the freedom to make your computer do what you want it to do by following your instructions.

It would be possible to come up with a browser that worked as you described but was proprietary. Such a browser would be as untrustworthy as other proprietary malware proves to be (not just Google's proprietary software either; there's plenty of proprietary malware to choose from, this is a structural problem with all proprietary software). With proprietary software it hardly matters if malware comes about through an engineering accident or on purpose because either way even the capable and willing users are forbidden from doing anything to help themselves to fix the problem, or to help their community by distributing a fixed version. A defensible developmental methodology is nice as far as it goes, but that doesn't go far enough to get societies what we need. What we need is software freedom.

Re:Don't get distracted by developmental methodolo

Yes, because OpenSSL worked so well.

Re:Browsers are too complicated and not robust eno

You forgot:

9: No API for pop-up, pop-over or pop-under. It is on the page, or it doesn't exist. (popups are a very bad user interface in general - and not needed on the web.) Need to show an ad? Put it on the page somewhere.

10: No API for moving the mouse cursor position. Having that is evil - I have seen abuses but never ever an occation where this did anything useful. Shouldn't be hard - there aren't cursors on touch-only things anyway, pages must already work without this capability. A mouse cursor only ever moves because someone moved the mouse/digitizer.

11: No ability to turn the cursor invisible or make a near-invisible one. Even if your webapp doesn't need a cursor right now, I need to see it to move it into some other app. (No, you're not fullscreen.)

12: Your webpage stay inside the browser window. It can't maximize the browser or move the window. The browser itself may have such capabilities, but the content should not.

Impersonating me AGAIN? Ok then... apk

1st: You're NOT me (but wish you were) & I'm NOT here to win a "popularity contest": I'm here to WIN so EVERYONE DOES & be faster/safer/more reliably connected online.

Your CRAP's what I PUT UP W/ if one's "World-Class" (like ME): STALKERS stalkingme by UNIDENTIFIABLE ac (everyone sees it happening & I suspect it's INFERIOR competitors, webmasters & advertisers (mostly) & malware makers (as my hosts engine affects 'em adversely & gives users of it more SPEED/SECURITY/RELIABILITY & more anonymity online)).

THAT & IMPERSONATING ME as you are proving you wish you were me + IMITATION = sincerest form of flattery.

APK

P.S.=> 3 things show I do it right:

1st = User praise my hosts engine https://tech.slashdot.org/comm...

2nd "ATTACKS" I GET (from UNIDENTIFIABLE ac as Elon Musk got https://tech.slashdot.org/stor... )

3rd BEING IMITATED = "Imitation = sincerest form of flattery" https://linux.slashdot.org/com... ... apk

Re: Impersonating me AGAIN? Ok then... apk

I'm not the OP, but I think it's hilarious that you believe that you're world class. You can't even afford your own home, which is why you need roommates. Your software is also garbage, which is why you're too embarrassed to release the source.

Unlike you, I actually am successful. I own a successful business with actual employees and I have a net worth of over $50 million. Unlike you, I don't produce crap software that nobody actually uses. My business creates useful products that are sold for a profit. I don't need your validation, which is why your demands that I prove my net worth to you are laughable. I make more money in one year than you'll make in your entire life.

You're not world class, but you sure think you are. You certainly think you're God's gift to Slashdot and to security. This is despite the fact that your software relies on ineffective blacklists. This is despite the fact that you don't even produce your own blacklists and instead rely on other people's work.

World class my ass. Your behavior online makes you toxic to any potential employers, which is why you can't get a job after you were fired during the last recession.

Re:Browsers are too complicated and not robust eno

Step 1. Fork Firefox
Step 2. Alter it to treat every web page according to your rules.
Step 3. Make your new browser the most popular one (because it's secure).
Step 4. Watch as all broken sites get fixed to work with your popular browser.
Step 5. Profit.