back in 2022 i found a bug that would let me, with no user interaction, turn any chromium-based browser into a permanent js botnet member
-
even worse, edge no longer even makes the download menu pop up, so it's completely silent js rce that keeps running even after you close the browser !!
all from just visiting a single website once !!
@rebane2001 I've got a dumb question: Is this something that can be mitigated with a uBlock filter? It reads like it could be but I don't know this stuff well.
-
@rebane2001 I've got a dumb question: Is this something that can be mitigated with a uBlock filter? It reads like it could be but I don't know this stuff well.
-
even worse, edge no longer even makes the download menu pop up, so it's completely silent js rce that keeps running even after you close the browser !!
all from just visiting a single website once !!
@rebane2001 uh oh
Why did it take them 4 years to (not) fix this?
I really should go ahead and disable js everywhere -
even worse, edge no longer even makes the download menu pop up, so it's completely silent js rce that keeps running even after you close the browser !!
all from just visiting a single website once !!
@rebane2001 well that's not good...
-
@henry_null @rebane2001 Cue Microsoft issuing a press release accusing Rebane of "violating coordinated vulnerability best practices." They've barely had time to react, after all...
@EdCates @rebane2001 I mean its them who made it public first I guess
https://issues.chromium.org/issues/40062121#comment56 -
OH NO I JUST REALIZED THIS IS NOT ACTUALLY PROPERLY FIXED AND STILL WORKS
@rebane2001
β
οΈ -
@rebane2001
oooof, thats not good
3,5 years...sent from my firefox
i second this, sent from my epiphany
-
OH NO I JUST REALIZED THIS IS NOT ACTUALLY PROPERLY FIXED AND STILL WORKS
@rebane2001 peak google efficiency
-
back in 2022 i found a bug that would let me, with no user interaction, turn any chromium-based browser into a permanent js botnet member
in edge, you wouldn't even notice anything out-of-place, and would stay connected to the c2 even after closing the browser
today, almost 4 years later, the bug is finally public:
https://issues.chromium.org/issues/40062121@rebane2001 Clearly, @mozilla's choices around not implementing certain APIs is paying off.
-
even worse, edge no longer even makes the download menu pop up, so it's completely silent js rce that keeps running even after you close the browser !!
all from just visiting a single website once !!
@rebane2001 BeEF module ftw!
-
even worse, edge no longer even makes the download menu pop up, so it's completely silent js rce that keeps running even after you close the browser !!
all from just visiting a single website once !!
issue set to private again, hopefully it'll get fixed properly this time
-
OH NO I JUST REALIZED THIS IS NOT ACTUALLY PROPERLY FIXED AND STILL WORKS
@rebane2001 Oops.
-
issue set to private again, hopefully it'll get fixed properly this time
@rebane2001 Nice find! I should have woken up earlier to see the details.
-
issue set to private again, hopefully it'll get fixed properly this time
@rebane2001 fucking embarrassing
-
issue set to private again, hopefully it'll get fixed properly this time
@rebane2001 Well, too late, it has already been archived :x
-
@rebane2001 Well, too late, it has already been archived :x
@SamantazFox out of curiosity, where? the archive.org captures don't load for me
edit: ty
-
@SamantazFox out of curiosity, where? the archive.org captures don't load for me
edit: ty
@rebane2001 @SamantazFox It's on archive.today/.is/.ph. Only go there with a content blocker, you're DDoSing a small blog otherwise: https://gyrovague.com/2026/02/01/archive-today-is-directing-a-ddos-attack-against-my-blog/
-
back in 2022 i found a bug that would let me, with no user interaction, turn any chromium-based browser into a permanent js botnet member
in edge, you wouldn't even notice anything out-of-place, and would stay connected to the c2 even after closing the browser
today, almost 4 years later, the bug is finally public:
https://issues.chromium.org/issues/40062121@rebane2001 I hate it; but damn that's clever.
-
issue set to private again, hopefully it'll get fixed properly this time
@rebane2001 really cool work. Didn't realize this sort of bug class even existed. Hope they up the bounty; this seems worth more than $1000
-
@Strabisme @cR0w yes, provided you disable js or service workers on the page
-
R relay@relay.infosec.exchange shared this topic
