Frequently endorsed browsing add-on NoScript which is popular among the privacy community and millions of Firefox users around the world was put to the test by Matthew Bryant, a white-hat hacker and security researcher.
The results are likely to surprise many.
NoScript and how it works
By their own account, NoScript helps provide the “most powerful anti-XSS and anti-Clickjacking protection ever available in a browser.” Even Edward Snowden has endorsed NoScript as an effective counter-measure against surveillance.
Giorgio Maone, the main developer behind NoScript notes that:
- NoScript has been downloaded over 50 million times since it’s time of availability back in 2005.
- NoScript is also downloaded over 20,000 times a day presently.
In an interview with VentureBeat, Maone said: “I started developing NoScript mainly for my personal needs of security, since I perceived that web browsers were becoming the most vulnerable spot of our digital life, and our digital life was becoming more and more our “real” life — relationships, finance and all.”
Putting NoScript to the test
Penetration tester Bryant decided to bypass the add-on partially because of the fanfare and the investment of trust by millions into NoScript.
“My goal was simply to bypass the add-on when it’s been installed with the default configuration,” he said, adding that he heard a lot of people snubbing exploits because of an attitude in saying “I use NoScript when I browse the internet and am therefore safe from all web exploits!”
As it so happens, NoScript has a white-list that comes built-in with the add-on. The entries in this white-list means that NoScript allows complete access with you trusting the websites and CDNs (Content delivery network) that are included in the white-list.
Significantly, NoScript trusted not just these domains, but also the subdomains of any of the mentioned sites.
- Adding test.com to the whitelist means that all subdomains within the original URL are trusted too.
- In other words, malware.test.com is essentially trusted as well.
Bryant sums up the experiment, saying: “I encourage every reading this to please purge your whitelist. Remove everything you don’t trust! It’s fine to trust a site but make sure you understand what you’re doing.”
He also contacted Giorgio Maone who put a patch out on the NoScript website within hours. The same patch was pushed as an update to all NoScript users within a matter of days.