2020-11-27, a Friday


programming ovinus-linkedin

Originally posted on LinkedIn under my friends’ joint account Ovinus Real.

A recent vulnerability report CVE-2020-0604 has recently been published, revealing a troubling security vulnerability in all major browsers, including Chrome, Internet Explorer, and Safari. The report details the process of performing dangerous XSS in HTML.

What is XSS?

XSS stands for eXternal Scripting Service. In layman’s terms, this allows anyone with basic knowledge in Java to inject dangerous virus code, such as the following:

alert ( 'Hello world' ) ;

The above code snippet locks the browser and creates a pop-up that may contain false or misleading information. However, with JavaXSS (JavaScript), attackers can create realistic bank logins and entire spyware.

What is HTML?

HTML is a programming language that allows browsers to render PDF files, cat gifs, and sometimes even web pages. On its own, it is harmless.

However, the recently discovered security vulnerability in browsers that run HTML reveals that XSS can be performed by creating a malware file containing the following anywhere in the file, including disguised among innocent text.

window.document.body.innerHTML="Hello world";;//=


This allows attackers to execute arbitrary XSS code. This is terrible!

Am I safe?

Chances are, you are not safe. Major browsers have not fixed this vulnerability, and there are currently no plans to resolve this major issue. Security researchers recommend avoiding using major Web browsers for the time being.

Update: Chrome team considers this an “essential feature,” likely because the NSA has been exploiting this vulnerability in web browsers.

Here is an example of it in action: https://www.nsa.gov/

See source and revision history on GitHub.