← Back to context

Comment by megous

1 day ago

1) write a well crafted exfil payload to mozilla or chrome directory (there are sqlite databases and files that store eg. indexeddb content) 2) trigger a tab open to attacker's website, website takes the exfil data from indexeddb and posts it to the server (have something inocuous looking on that website - like a fake npm homepage or whatever, so you don't close it fast enough)

from one step process, this will become universally usable two step process

3 comments

megous

Reply
gus_  17 hours ago

absolutely. These attacks will evolve for sure, like the malware evolved on Microslop for years.

But for the time being, the common entry vector is clear:

https://github.com/evilsocket/opensnitch/discussions/1119

> 2) trigger a tab open to attacker's website

be sure not to use extra cli parameters like "firefox --new-tab <url>", because if the rule is filtering by process path + cmdline it'll trigger a pop-up to allow the outbound request.

jcgl  20 hours ago

Damn, good call. Really reinforces the need for sandboxing.

Still doesn’t negate the value of OpenSwitch, since the majority of malware won’t do that. But really good to keep in mind.