This article is more than 1 year old

Script-blocker NoScript lets in ANYTHING from

Whitelisting tool was too trusting, by far

Detectify security researcher Linus Särud has reported a weakness in popular Firefox security tool NoScript that allows attackers to have their malware whitelisted.

The tool is used by some two million security-and-privacy-conscious folk who want to stop active content like JavaScript and Flash getting a foothold in their browsers.

Such folk will be disappointed to learn that Särud (@_zulln) says attackers could upload their net menace of choice to any free Google subdomain and have it slip through NoScript's defences.

The researcher says blanket whitelisting of means he was able to create a script that could pass default NoScript configurations and be executed within user browsers.

"My first thought was to try to find some interesting subdomain to any of these domains, such as an old forgotten domain still pointing to a service online, Särud says.

"As all subdomains also are whitelisted, I understood would work just fine.

"Just by visiting the file JavaScript will execute, even if NoScript with default configuration is installed."

Särud notified NoScript which quickly altered the whitelist entry for to instead allow only Google's hosted libraries at

The researcher probed NoScript after fellow hacker Matthew Bryant (@IAmMandatory) found a host of disused default whitelisted domains and purchased one to successfully launch attacks that bypassed default installations.

Bryant intended to launch a store cross-site scripting attack on a subdomain trusted by default for any out-of-the-box whitelisted domains.

That venture was cut short when he found the whitelisted was available for purchase at just US$10, so he snapped it up and used it to point at his JavaScript payload.

"I encourage [everyone] to please purge your whitelist. Remove everything you don't trust," Bryant says.

"It is my opinion that universal bypasses for NoScript should actually be quite easy to find since the default whitelist exposes so much surface area."

NoScript users can review their whitelists through the options feature. ®

More about


Send us news

Other stories you might like