Opened 6 months ago

Closed 3 months ago

#22067 closed defect (fixed)

NoScript Click-to-Play bypass with embedded videos and audios

Reported by: samantharis Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-security, noscript, TorBrowserTeam201707R
Cc: ma1, fdsfgs@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Noscript does not block .webm playback on tor hidden services but plays them first and then blocks them after.

Example:

If you go to http://alokalaou53jmgum.onion/b/50927 and click on the 'homer-simpson webm' it will start playing directly after being clicked on even though Tor Browser is set to high security slider and this in 9/10 times.

Whereas if you open it directly it will block it 9/10 times.

http://alokalaou53jmgum.onion/src/M9Xjl/1486923637894.webm

This is present in at least Tor Browser 6.5.1 and 6.5.2 and probably on even older versions leaving users potentially in danger if it where to be a malicious .webm by not blocking it

Child Tickets

Change History (11)

comment:1 Changed 6 months ago by gk

Cc: ma1 added
Summary: NoScript Click-to-Play bypassNoScript Click-to-Play bypass with embedded videos

samantharis: what makes you believe this is a onion service related issue? Are you saying with "9/10" that in both cases you get the video to play?

That said: I can reproduce your findings in your first example but only on the second try. The first try to load the video is always blocked for me. I guess the crucial difference here is that you click on an embedded video in the first example while you are loading the video directly in the second example.

Tested on a Linux system with Tor Browser 7.0a3 and NoScript 5.0.3.

I think this is a NoScript bug.

Last edited 6 months ago by gk (previous) (diff)

comment:2 Changed 6 months ago by gk

Keywords: tbb-security added

comment:3 Changed 6 months ago by cypherpunks

Keywords: noscript added

It's easily reproducible on stable. With 7.0a3 the blocking is so fast that it's hard to notice.

NoScript 5.0a3.

hehe (:

comment:4 Changed 6 months ago by cypherpunks

Summary: NoScript Click-to-Play bypass with embedded videosNoScript Click-to-Play bypass with embedded videos and audios

comment:5 Changed 6 months ago by tokotoko

Cc: fdsfgs@… added

comment:6 Changed 4 months ago by ma1

This does not happen in NoScript's default configuration, only in Tor Browser's custom setup.

Easiest work-around: turn "Forbid other plugins" (noscript.forbidPlugins) to true.

Working on a fix for 5.0.6, hopefully by this week.

comment:7 Changed 4 months ago by cypherpunks

Holy shit!!! Forbid all plugins!!!

comment:8 in reply to:  6 Changed 3 months ago by gk

Status: newneeds_information

Replying to ma1:

This does not happen in NoScript's default configuration, only in Tor Browser's custom setup.

Easiest work-around: turn "Forbid other plugins" (noscript.forbidPlugins) to true.

Working on a fix for 5.0.6, hopefully by this week.

This did not make it into 5.0.6, right? At least opening the link in comment:4 still results in playing first and blocking shortly later for me.

comment:9 Changed 3 months ago by ma1

Please check 5.0.7rc2 from https://noscript.net/getit#devel, thank you. If no major regression is found, I plan to release 5.0.7 stable by Sunday.

comment:10 Changed 3 months ago by gk

Keywords: TorBrowserTeam201707R added
Status: needs_informationneeds_review

comment:11 in reply to:  9 Changed 3 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Replying to ma1:

Please check 5.0.7rc2 from https://noscript.net/getit#devel, thank you. If no major regression is found, I plan to release 5.0.7 stable by Sunday.

Looks good to me, fwiw. I bumped the NoScript versions we ship on master and maint-7.0 (commit 0437834017c1c7ff168da868d9dcb2f2519fd122 and 12565f000a09b27b7dbd9ea864c5004b6d8324a9)

Note: See TracTickets for help on using tickets.