undefined | Better HN

0 pointstaneliv13d ago0 comments

Trivially, `less` to see README.md of a malicious/compromised open source project. There are perhaps more plausible avenues of exploiting, but this one popped to mind immediately.

0 comments

charcircuit13d ago

Opening a URL should always be safe. It's a security bug if it isn't.

hnlmorg13d ago

Yet such security bugs exist in their multitude. Plenty of internal-only systems are not locked down securely and only thing preventing mass exploitation is browsers CORS settings. But if request is originating from inside the network (as it would from a terminal emulator), then all bets are off.

Granted, on its own, this should be safe. But attacks are usually composed from multiple bugs and/or weaknesses in design. Hence why security folk keep talking about “defence in depth” — ie not to rely on the security of any single facet but instead layering your security just in case any one particular layer does prove to be insufficient.

This is why in my own terminal emulator I implemented hyperlinks via user defined RegEx. The terminal user gets to decide what text becomes click-actionable rather than the attacker.

I actually voiced some concerns with this original hyperlink proposal several years back. In fact lots of developers and security researchers did. And the gist authors response was to delete the replies and turn off comments. Which adds additional concern about this proposal. It follows no process, no feedback, nothing. Just one persons mission to dictate how everyone else’s terminal, and security model, should operate.

iugtmkbdfil83413d ago

I don't know if it is a trend, but I did notice a larger willingness in FOSS to be uncooperative with more common response to suggestions/questions being "if you don't like it, fork it". I almost wonder if advent of llms prompted people to be more comfortable with saying 'I am building this based on my needs'.

shiomiru13d ago

> Plenty of internal-only systems are not locked down securely and only thing preventing mass exploitation is browsers CORS settings.

CORS has no relation to this issue. Cross-origin means there are at least two origins, but in this case there is only one (where you're trying to navigate).

> But if request is originating from inside the network (as it would from a terminal emulator)

Why would the terminal make requests? Obviously it will dispatch the link to another program specialized in making requests to a protocol, like... a browser?

> Granted, on its own, this should be safe. But attacks are usually composed from multiple bugs and/or weaknesses in design. Hence why security folk keep talking about “defence in depth”

Every feature can be part of an exploit chain, but the "clicking a URL will always lead to the text it is under" ship has sailed 30+ years ago. If your system cannot safely handle this operation then you're in deep trouble, and I don't see how crippling every program in existence is the right solution to that.

> I actually voiced some concerns with this original hyperlink proposal several years back. In fact lots of developers and security researchers did.

Based on what you've written: you and other self-claimed "security researchers" started spamming this spec with concern trolling about hypothetical (non-existent) "security issues", then the author finally got tired and locked down comments, which were obviously intended for people interested in the feature, not those trying to sabotage it.

> Just one persons mission to dictate how everyone else’s terminal, and security model, should operate.

Nowhere does the proposal say that your terminal has to implement this. Indeed, if you have a working ANSI parser the escape sequence is ignored automatically (as the spec also explains).

Have you considered that the person trying to dictate how others' terminals should operate might be you?

1 more reply

hombre_fatal11d ago

That's not the only URL-related attack surface.

e.g. "Log in to receive your bitcoin: https://colnbase.com" (phishing)

ycombinatrix12d ago

Not true. At the very least it can leak your IP address. There's a reason whatsapp & other messaging services have an internal proxy for generating web previews.

bigstrat200313d ago

And yet, it isn't always safe. Yes, that should be fixed, but defense in depth exists for a reason.

j / k navigate · click thread line to collapse