![]() ![]() “As a trivial consequence, online banking or shopping sessions can no longer be considered secure – the attackers can reroute transfers or shipments. Palant told The Daily Swig: “The attackers can spy on anything the users do in their browser, they can manipulate displayed information, take over accounts, impersonate the user. Read more of the latest cyber-attack news ![]() The bad news: this data can be manipulated by DuckDuckGo, by Microsoft (hosting provider), or by anybody else who gains access to that server (hackers or government agency).” ![]() “So the good news : the websites you visit cannot mess with it. “The data used to decide about spoofing the user agent is downloaded from. Palant wrote: “Note how agentSpoofer.getAgent() is inserted into this script without any escaping or sanitization. The vulnerability can only be exploited by somebody controlling, Palant noted, meaning that an attacker would need to gain access to the server. It leaves their privacy “completely compromised” when browsing online, said Palant, and can even exploit websites that have countermeasures such as a content security policy. The security flaw could enable malicious actors to spy on all websites that the user is visiting, leaving sensitive information such as banking details and other data potentially accessible. Palant included more technical details about the attack in a blog post. While it has been patched in Chrome and, since the time of writing, in Mozilla Firefox, no update has been issued for other browsers such as Microsoft Edge. It could be leveraged to achieve uXSS on victims’ devices, revealed researcher Wladimir Palant, meaning that arbitrary code could be executed on any domain. ![]() The vulnerability was discovered in DuckDuckGo Privacy Essentials, which blocks hidden trackers and offers private browsing features. UPDATED DuckDuckGo has fixed a universal cross-site scripting (uXSS) flaw in a popular browser extension for Chrome and Firefox. XSS security flaw has already been patched in Google Chrome and Mozilla Firefox ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |