780GB of data, tools, and source code were stolen from EA by purchasing a stolen cookie to get access to the company's Slack and social-engineering an IT Support employee
Browser extensions could absolutely get them, if they're given the right permissions. There are a ton of browser extensions that request extremely broad permissions like "access your data for all...
Browser extensions could absolutely get them, if they're given the right permissions. There are a ton of browser extensions that request extremely broad permissions like "access your data for all websites", and people allow it without a second thought.
Browser extensions are one of the biggest security blind spots right now, in my opinion. They have access to so much, and everyone applies almost zero scrutiny to them.
One of the biggest pushes with Chromium's new API (manifest version 3) is to reduce the attack surface of extensions. APIs are moving to declarative code and banning execution from remote sources...
One of the biggest pushes with Chromium's new API (manifest version 3) is to reduce the attack surface of extensions. APIs are moving to declarative code and banning execution from remote sources (which could bypass review).
People are mostly upset about it, but I think it will improve the security landscape. I think we really underestimate how many extensions are being purchased and stuffed with malicious code.
Yeah I totally understand how people are upset but the risk level of browser extensions right now is obscene. The people upset by this say the user should just be careful about what they install...
Yeah I totally understand how people are upset but the risk level of browser extensions right now is obscene. The people upset by this say the user should just be careful about what they install but the correct level of care should be to never install an extension.
The problem is that great and trustworthy extensions get bought by malware authors for huge amounts of money and get turned in to malware silently without anyone noticing for many months.
see: nano defender trusted open source standalone adblocker and companion anti-adblocker for ublock origin used by tens or hundreds of thousands silently sold to a shady turkish company who turned...
trusted open source standalone adblocker and companion anti-adblocker for ublock origin used by tens or hundreds of thousands silently sold to a shady turkish company who turned it into malware and stole logins
I'm surprised this hasn't been the case before. It is only just recently where browsers like Firefox 86 isolate cookies to only the domain that the cookie originated from.
A representative for the hackers told Motherboard in an online chat that the process started by purchasing stolen cookies being sold online for $10 and using those to gain access to a Slack channel used by EA. Cookies can save the login details of particular users, and potentially let hackers log into services as that person. In this case, the hackers were able to get into EA's Slack using the stolen cookie.
I'm surprised this hasn't been the case before. It is only just recently where browsers like Firefox 86 isolate cookies to only the domain that the cookie originated from.
Even before that, sites can't access each others' cookies. Example.com can't read cookies belonging to google.com. However, if you include an ad script from Google in example.com, then Google can...
Even before that, sites can't access each others' cookies. Example.com can't read cookies belonging to google.com. However, if you include an ad script from Google in example.com, then Google can set Google cookies noting the visit and use those elsewhere, since those cookies belong to Google. Technically I think Google would also be able to check out example.com's cookies but you're already running someone else's code at that point so there's plenty of ways for them to stab you in the back.
What that feature does, if I understand it correctly, is throw all cookies for all domains in individual boxes based on the first-party site you were actually intending to visit. So even if you include google's script across all the sites you visit, those scripts can't communicate through cookies stored on your device anymore.
How did the original cookie leak? Could a malicious browser extension get that?
Browser extensions could absolutely get them, if they're given the right permissions. There are a ton of browser extensions that request extremely broad permissions like "access your data for all websites", and people allow it without a second thought.
Browser extensions are one of the biggest security blind spots right now, in my opinion. They have access to so much, and everyone applies almost zero scrutiny to them.
One of the biggest pushes with Chromium's new API (manifest version 3) is to reduce the attack surface of extensions. APIs are moving to declarative code and banning execution from remote sources (which could bypass review).
People are mostly upset about it, but I think it will improve the security landscape. I think we really underestimate how many extensions are being purchased and stuffed with malicious code.
Yeah I totally understand how people are upset but the risk level of browser extensions right now is obscene. The people upset by this say the user should just be careful about what they install but the correct level of care should be to never install an extension.
The problem is that great and trustworthy extensions get bought by malware authors for huge amounts of money and get turned in to malware silently without anyone noticing for many months.
see: nano defender
trusted open source standalone adblocker and companion anti-adblocker for ublock origin used by tens or hundreds of thousands silently sold to a shady turkish company who turned it into malware and stole logins
I'm surprised this hasn't been the case before. It is only just recently where browsers like Firefox 86 isolate cookies to only the domain that the cookie originated from.
Even before that, sites can't access each others' cookies. Example.com can't read cookies belonging to google.com. However, if you include an ad script from Google in example.com, then Google can set Google cookies noting the visit and use those elsewhere, since those cookies belong to Google. Technically I think Google would also be able to check out example.com's cookies but you're already running someone else's code at that point so there's plenty of ways for them to stab you in the back.
What that feature does, if I understand it correctly, is throw all cookies for all domains in individual boxes based on the first-party site you were actually intending to visit. So even if you include google's script across all the sites you visit, those scripts can't communicate through cookies stored on your device anymore.