News

3667 Articles

This Week In Security: Discord, Chromium, And WordPress Forced Updates

October 30, 2020 by 42 Comments

[Masato Kinugawa] found a series of bugs that, when strung together, allowed remote code execution in the Discord desktop app. Discord’s desktop application is an Electron powered app, meaning it’s a web page rendered on a bundled light-weight browser. Building your desktop apps on JavaScript certainly makes life easier for developers, but it also means that you inherit all the problems from running a browser and JS. There’s a joke in there about finally achieving full-stack JavaScript.

The big security problem with Electron is that a simple Cross Site Scripting (XSS) bug is suddenly running in the context of the desktop, instead of the browser. Yes, there is a sandboxing option, but that has to be manually enabled.

And that brings us to the first bug. Neither the sandbox nor the contextIsolation options were set, and so both defaulted to false. What does this setting allow an attacker to do? Because the front-end and back-end JavaScript runs in the same context, it’s possible for an XSS attack to override JS functions. If those functions are then called by the back-end, they have full access to Node.js functions, including exec(), at which point the escape is complete.

Now that we know how to escape Electron’s web browser, what can we use for an XSS attack? The answer is automatic iframe embeds. For an example, just take a look at the exploit demo below. On the back-end, all I have to do is paste in the YouTube link, and the WordPress editor does its magic, automatically embedding the video in an iframe. Discord does the same thing for a handful of different services, one being Sketchfab.

This brings us to vulnerability #2. Sketchfab embeds have an XSS vulnerability. A specially crafted sketchfab file can run some JS whenever a user interacts with the embedded player, which can be shoehorned into discord. We’re almost there, but there is still a problem remaining. This code is running in the context of an iframe, not the primary thread, so we still can’t override functions for a full escape. To actually get a full RCE, we need to trigger a navigation to a malicious URL in the primary pageview, and not just the iframe. There’s already code to prevent an iframe from redirecting the top page, so this RCE is a bust, right?

Enter bug #3. If the top page and the iframe are on different domains, the code preventing navigation never fires. In this case, JavaScript running in an iframe can redirect the top page to a malicious site, which can then override core JS functions, leading to a full escape to RCE.

It’s a very clever chaining of vulnerabilities, from the Discord app, to an XSS in Sketchfab, to a bug within Electron itself. While this particular example required interacting with the embedded iframe, it’s quite possible that another vulnerable service has an XSS bug that doesn’t require interaction. In any case, if you use Discord on the desktop, make sure the app is up to date. And then, enjoy the demo of the attack, embedded below.

Continue reading “This Week In Security: Discord, Chromium, And WordPress Forced Updates”

Crowd Funded Jumping Cubes

October 30, 2020 by 5 Comments

The Japan Aerospace Exploration Agency (JAXA) recently contributed their Int-Ball  technology to a Kickstarter campaign operated by the Japanese electronics manufacturer / distributor Bit Trade One (Japanese site). This technology is based on the Cubli project out of the Swiss Federal Institute of Technology in Zurich (ETH Zurich), which we covered back in 2013. The Cubli-based technology has been appearing in various projects since then, including the Nonlinear Mechatronic Cube in 2016.  Alas, the current JAXA-based “3-Axis Attitude Control Module” project doesn’t have a catchy name — yet.

One interesting application of these jumping cubes, presumably how JAXA got involved with these devices, is a floating video camera that was put to use on board the International Space Station (ISS) in 2017.  The version being offered by the Kickstarter campaign doesn’t include the cameras, and you will need to provide your own a gravity-free environment to duplicate that application.  Instead, they seem to be marketing this for educational uses.  You’d better dig deep in your wallet if you want one — a fully assembled unit requires a pledge of over $5000 ( there is a “some assembly required” kit that can save you about $1000 ).  Most of us won’t be backing this project for that reason alone, but it is nice to see the march of progress of such a cool technology:  from inception to space applications to becoming available to the general public.  Thanks to [Lincoln Uehara] for sending in this tip.

Continue reading “Crowd Funded Jumping Cubes”

DSL Is Barely Hanging On The Line As Telcos Stop Selling New Service

October 29, 2020 by 170 Comments

Are you reading this over AT&T DSL right now? If so, you might have to upgrade or go shopping for a new ISP soon. AT&T quietly stopped selling new traditional DSLs on October 1st, though they will continue to sell their upgraded fiber-to-the-node version. This leaves a gigantic digital divide, as only 28% of AT&T’s 21-state territory has been built out with full fiber to the home, and the company says they have done almost all of the fiber expansion that they intend to do. AT&T’s upgraded DSL offering is a fiber and copper hybrid, where fiber ends at the network node closest to the subscriber’s home, and the local loop is still over copper or coax.

At about the same time, a report came out written jointly by members of the Communications Workers of America union and a digital inclusion advocacy group. The report alleges that AT&T targets wealthy and non-rural areas for full fiber upgrades, leaving the rest of the country in the dark.

As the internet has been the glue holding these unprecedented times together, this news comes as a slap in the face to many rural customers who are trying to work, attend school, and see doctors over various videoconferencing services.

If you live in a big enough city, chances are you haven’t thought of DSL for about twenty years, if ever. It may surprise you to learn of the popularity of ADSL in the United Kindom. ADSL the main source of broadband in the UK until 2017, having been offset by the rise of fibre-to-the-cabinet (FTTC) connections. However, this Ofcom report shows that in 2018 ADSL still made up more than a third of all UK broadband connections.

Why do people still have it, and what are they supposed to do in the States when it dries up?

Continue reading “DSL Is Barely Hanging On The Line As Telcos Stop Selling New Service”

PyGame Celebrates 20 Years By Releasing PyGame 2.0

October 28, 2020 by 7 Comments

Python is an absolutely fantastic language for tossing bits of data around and gluing different software components together. But eventually you may find yourself looking to make a program with an output a bit more advanced than the print() statement. Once you’ve crossed into the land of graphical Python programming, you’ll quickly find that the PyGame library is often recommended as a great way to start pushing pixels even if you’re not strictly making a game.

Today, the project is celebrating an incredible milestone: 20 years of helping Python developers turn their ideas into reality. Started by [Pete Shinners] in 2000 as a way to interface with Simple DirectMedia Layer (SDL), the project was quickly picked up by the community and morphed into a portable 2D/3D graphics library that lets developers deploy their code on everything from Android phones to desktop computers.

Things haven’t always gone smoothly for the open source library, and for awhile development had stalled out. But the current team has been making great progress, and decided today’s anniversary was the perfect time to officially roll out PyGame 2.0. With more than 3,300 changes committed since the team started working on their 2.0 branch in July of 2018, it’s a bit tough to summarize what’s new. Suffice to say, the library is more capable than ever and is ready to tackle everything from simple 2D art up to 4K GPU-accelerated applications.

Rip and tear in PyGame 2.0

If you haven’t given PyGame a try in awhile, don’t worry. The team has put special effort into making the library as backwards compatible as possible, so if you’ve got an old project kicking around that you haven’t touched in a decade, it should still run against the latest and greatest version. If you’ve never used it before, the team says they’ll soon be releasing new tutorials that show you how to get the most out of this new release.

Whether you’re putting together your own implementation of Conway’s “Game of Life” or creating the graphical front-end for your own Linux distribution, PyGame is a powerful tool to have in your collection. Our sincere congratulations to all PyGame developers, past and present, for making it to this auspicious occasion. We can’t wait to see what the next decade will bring.

[Thanks to deshipu for the tip.]

The 10,000 Pixel Per Inch Display Is Now Possible

October 28, 2020 by 54 Comments

A good smartphone now will have about 500 pixels per inch (PPI) on its screen. Even the best phones we could find clock in at just over 800 PPI. But Stanford researchers have a way to make displays with more than 10,000 pixels per inch using technology borrowed from solar panel research.

Of course, that might be overkill on a six-inch phone screen, but for larger displays and close up displays like those used for virtual reality, it could be a game-changer. Your brain is good at editing it out, but in a typical VR headset, you can easily see the pixels from the display even at the highest PPI resolutions available. Worse, you can see the gaps between pixels which give a screen door-like effect. But with a density of 10,000 PPI it would be very difficult to see individual pixels, assuming you can drive that many dots.

Continue reading “The 10,000 Pixel Per Inch Display Is Now Possible”

Community Rallies Behind Youtube-dl After DMCA Takedown

October 27, 2020 by 63 Comments

At this point, you’ve likely heard that the GitHub repository for youtube-dl was recently removed in response to a DMCA takedown notice filed by the Recording Industry Association of America (RIAA). As the name implies, this popular Python program allowed users to produce local copies of audio and video that had been uploaded to YouTube and other content hosting sites. It’s a critical tool for digital archivists, people with slow or unreliable Internet connections, and more than a few Hackaday writers.

It will probably come as no surprise to hear that the DMCA takedown and subsequent removal of the youtube-dl repository has utterly failed to contain the spread of the program. In fact, you could easily argue that it’s done the opposite. The developers could never have afforded the amount of publicity the project is currently enjoying, and as the code is licensed as public domain, users are free to share it however they see fit. This is one genie that absolutely won’t be going back into its bottle.

In true hacker spirit, we’ve started to see some rather inventive ways of spreading the outlawed tool. A Twitter user by the name of [GalacticFurball] came up with a way to convert the program into a pair of densely packed rainbow images that can be shared online. After downloading the PNG files, a command-line ImageMagick incantation turns the images into a compressed tarball of the source code. A similar trick was one of the ways used to distribute the DeCSS DVD decryption code back in 2000; though unfortunately, we doubt anyone is going to get the ~14,000 lines of Python code that makes up youtube-dl printed up on any t-shirts.

Screenshot of the Tweet sharing YouTube-dl repository as two images

It’s worth noting that GitHub has officially distanced themselves from the RIAA’s position. The company was forced to remove the repo when they received the DMCA takedown notice, but CEO Nat Friedman dropped into the project’s IRC channel with a promise that efforts were being made to rectify the situation as quickly as possible. In a recent interview with TorrentFreak, Friedman said the removal of youtube-dl from GitHub was at odds with the company’s own internal archival efforts and financial support for the Internet Archive.

But as it turns out, some changes will be necessary before the repository can be brought back online. While there’s certainly some debate to be had about the overall validity of the RIAA’s claim, it isn’t completely without merit. As pointed out in the DMCA notice, the project made use of several automated tests that ran the code against copyrighted works from artists such as Taylor Swift and Justin Timberlake. While these were admittedly very poor choices to use as official test cases, the RIAA’s assertion that the entire project exists solely to download copyrighted music has no basis in reality.

[Ed Note: This is only about GitHub. You can still get the code directly from the source.]

AMD Acquires Xilinx For $35 Billion

October 27, 2020 by 45 Comments

News this morning that AMD has reached an agreement to acquire Xilinx for $35 Billion in stock. The move to gobble up the leading company in the FPGA industry should come as no surprise for many reasons. First, the silicon business is thick in the age of mergers and acquisitions, but more importantly because AMD’s main competitor, Intel, purchased the other FPGA giant Altera back in 2015.

Primarily a maker of computer processors, AMD expands into the reconfigurable computing market as Field-Programmable Gate Arrays (FPGA) can be adapted to different tasks based on what bitstream (programming information written to the chips) has been sent to them. This allows the gates inside the chip to be reorganized to perform different functions at the hardware level even after being put into products already in the hands of customers.

Xilinx invented the FPGA back in the mid-1980s, and since then the falling costs of silicon fabrication and the acceleration of technological advancement have made them evermore highly desirable solutions. Depending on volume, they can be a more economical alternative to ASICs. They also help with future-proofing as technology not in existence at time of manufacture — such as compression algorithms and communications protocols — may be added to hardware in the field by reflashing the bitstream. Xilinx also makes the Zynq line of hybrid chips that contain both ARM and FPGA cores in the same device.

The deal awaits approval from both shareholders and regulators but is expected to be complete by the end of 2021.