2

Note: this does not answer my question as it mentions Java/Flash(not in the modern context. The question is from like 10 years ago so probably outdated), and mentions weakness introduced by the user(whereas I'm asking exploits that can be used by code along. No user action is considered.)

I am an Electron developer, so I am familiar with the Javascript and the web environment, but when it comes to information security, I am no expert. Information security has been evolving all these years, and more and more security features are implemented, both in browsers and as a part of various modern web standards. It seems with every update, more things are restricted by the browser for web pages, and there are less things a web page can do without the user's consent.

I recently was faced with this question: in the modern context(2023, that is), with the latest version of Chrome or Firefox and the latest web standard, how safe am I from web pages with malignant intent? This is NOT about protecting my information from phishing or scamming, not about how I should not enter my info into unknown websites, etc., but about what harm could client-side web code do, if I just open random web pages and let their client-side code run? I'm not downloading anything or entering ANY information. Just opening the webpage and using it normally.

I thought about this, and it's obvious that a site cannot access cookies of other sites, so no data-mining there. It cannot access my file system, cannot download files or execute shell commands, so no worries getting viruses too if I don't get tricked into downloading manually. It seems like the very best they could do is gather my IP address and somehow profit from that, other than that they're powerless to do anything. (Back in the days they could annoy me with infinite pop-ups, but even that is banned by chrome now...)

Note that all these are in the modern context, where Chrome/Firefox offers excellent protection, and Flash is long dead. Considering all possible occurrences in the modern world, what are there?

So, if I give you the chance to write any code in a webpage and I'd just open it, what max harm could you do to me, if you really wanted to? (Data-collection, break my computer, anything really.)

D.W.
  • 99,525
  • 33
  • 275
  • 596
Nicholas
  • 131
  • 3
  • 1
    Just wanted to add one condition: It's 2023 now, so NO IE. NO older systems like Windows XP or 7. Only with what's LATEST. The related questions did not have this condition, and their answers seem to be talking a lot about these ancient things as well. I just wanted an answer with respect to modernity only. – Nicholas Nov 12 '23 at 23:43
  • So, you are asking for vulnerabilities and exploits. Have you considered "driveby downloads" and exploiting browser plugins? You say no 0-days, but what about unpatched systems? Are you considering that in-scope? – schroeder Nov 13 '23 at 00:16
  • Thanks for your comment. Yes I think plugin exploits and driveby downloads would be a valid answer to my question. I guess these are not something 100% sure that we can exploit now(or else they'd be patch already), but who-knows-when in the future a bug could surface and suddenly one could exploit them, right? It's like an on-going cat-and-mouse game, if I understand correctly – Nicholas Nov 13 '23 at 00:40
  • 1
    Why exclude 0-days? Modern browsers are good at fixing security problems, so that's kinda like saying Excluding security vulnerabilities, what is the worst security vulnerabilities? – vidarlo Nov 13 '23 at 00:54
  • That makes sens, now that I think about it, I shouldn't exclude anything. I'll edit my post to strike that line. Thanks. EDIT: I cannot do strikethrough on this site for some reason. I replaced the text – Nicholas Nov 13 '23 at 01:06
  • But now your question kinda answers itself: a malicious website can take advantage of unpatched vulnerabilities in the browser itself or the extensions it uses. – schroeder Nov 13 '23 at 09:22

1 Answers1

4

You're pretty safe, assuming you are using the latest updated version of a major browser, and your security requirements are similar to that of most users, and you use appropriate caution.

There are no absolute answers, and no absolute perfect security. Rather, it is a matter of risk management. But this scenario (opening a link to an untrusted web page) is exactly what browsers are designed to handle securely, and browsers are generally pretty good at it.

Assuming you don't interact with the web page once you open it, the primary risk is that there is some unpatched remotely exploitable vulnerability in the web browser, and the malicious web site uses a zero-day exploit to compromise your web browser. While this is possible and has occurred, it is relatively rare and requires great expertise or funding from the attacker. For instance, on vulnerability markets, buying a working zero-day exploit for a major browser will probably cost something like a million dollars, if not more. If you are an average, ordinary user, you are probably not facing that level of threat.

There are some other risks. If you interact with the web page, you could get scammed by social engineering attacks, such as phishing or running untrusted code downloaded from that website. If you have strict anonymity/privacy requirements, the web page could learn some information about you, such as your IP address. If you use browser plugins or add-ins, any vulnerability in those could be exploited, and the risk from that will depend on which plugin/add-in you are using and does not admit any simple summary.

D.W.
  • 99,525
  • 33
  • 275
  • 596