| ▲ | mpeg 3 hours ago |
| "Google Chromium CSS contains a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera." That's pretty bad! I wonder what kind of bounty went to the researcher. |
|
| ▲ | duozerk 2 hours ago | parent | next [-] |
| > That's pretty bad! I wonder what kind of bounty went to the researcher. I'd be surprised if it's above 20K$. Bug bounties rewards are usually criminally low; doubly so when you consider the efforts usually involved in not only finding serious vulns, but demonstrating a reliable way to exploit them. |
| |
| ▲ | salviati 2 hours ago | parent | next [-] | | I think a big part of "criminally low" is that you'll make much more money selling it on the black market than getting the bounty. | | |
| ▲ | duozerk 2 hours ago | parent | next [-] | | I read this often, and I guess it could be true, but those kinds of transaction would presumably go through DNM / forums like BF and the like. Which means crypto, and full anonymity. So either the buyer trusts the seller to deliver, or the seller trusts the buyer to pay. And once you reveal the particulars of a flaw, nothing prevents the buyer from running away (this actually also occurs regularly on legal, genuine bug bounty programs - they'll patch the problem discreetly after reading the report but never follow up, never mind paying; with little recourse for the researcher). Even revealing enough details, but not everything, about the flaw to convince a potential buyer would be detrimental to the seller, as the level of details required to convince would likely massively simplify the work of the buyer should they decide to try and find the flaw themselves instead of buying. And I imagine much of those potential buyers would be state actors or organized criminal groups, both of which do have researchers in house. The way this trust issue is (mostly) solved in drugs DNM is through the platform itself acting as a escrow agent; but I suspect such a thing would not work as well with selling vulnerabilities, because the volume is much lower, for one thing (preventing a high enough volume for reputation building); the financial amounts generally higher, for another. The real money to be made as a criminal alternative, I think, would be to exploit the flaw yourself on real life targets. For example to drop ransomware payloads; these days ransomware groups even offer franchises - they'll take, say, 15% of the ransom cut and provide assistance with laundering/exploiting the target/etc; and claim your infection in the name of their group. | | |
| ▲ | moring 2 hours ago | parent [-] | | > Even revealing enough details, but not everything, about the flaw to convince a potential buyer would be detrimental to the seller, as the level of details required to convince would likely massively simplify the work of the buyer should they decide to try and find the flaw themselves instead of buying. Is conning a seller really worth it for a potential buyer? Details will help an expert find the flaw, but it still takes lots of work, and there is the risk of not finding it (and the seller will be careful next time). > And I imagine much of those potential buyers would be state actors or organized criminal groups, both of which do have researchers in house. They also have the money to just buy an exploit. > The real money to be made as a criminal alternative, I think, would be to exploit the flaw yourself on real life targets. For example to drop ransomware payloads; these days ransomware groups even offer franchises - they'll take, say, 15% of the ransom cut and provide assistance with laundering/exploiting the target/etc; and claim your infection in the name of their group. I'd imagine the skills needed to get paid from ransomware victims without getting caught to be very different from the skills needed to find a vulnerability. |
| |
| ▲ | consumer451 2 hours ago | parent | prev [-] | | I am far from the halls of corporate decision making, but I really don't understand why bug bounties at trillion dollar companies are so low. | | |
| ▲ | arcfour 2 hours ago | parent [-] | | Because it's nice to get $10k legally + public credit than it is to get $100k while risking arrest + prison time, getting scammed, or selling your exploit to someone that uses it to ransom a children's hospital? | | |
| ▲ | consumer451 13 minutes ago | parent | next [-] | | Thanks, great answer. I was just thinking from a simple market value POV. | |
| ▲ | kspacewalk2 an hour ago | parent | prev [-] | | Is it in fact illegal to sell a zero day exploit of an open source application or library to whoever I want? | | |
| ▲ | IggleSniggle an hour ago | parent [-] | | Depends. Within the US, there are data export laws that could make the "whoever" part illegal. There are also conspiracy to commit a crime laws that could imply liability. There are also laws that could make performing/demonstrating certain exploits illegal, even if divulging it isn't. That could result in some legal gray area. IANAL but have worked in this domain. Obviously different jurisdictions may handle such issues differently from one another. |
|
|
|
| |
| ▲ | naeioi 2 hours ago | parent | prev | next [-] | | The bounty could be very high. Last year one bug’s reporter was rewarded $250k. https://news.ycombinator.com/item?id=44861106 | | |
| ▲ | duozerk 2 hours ago | parent [-] | | Maybe google is an exception (but then again, maybe that payout was part marketing to draw more researchers). | | |
| ▲ | throwaway150 44 minutes ago | parent [-] | | So is there anything that would actually satisfy crowd here? Offer $25K and it is "How dare a trillion dollar company pay so little?" Offer $250K and it is "Hmm. Exception! Must be marketing!" What precisely is an acceptable number? |
|
| |
| ▲ | wepple an hour ago | parent | prev [-] | | > but demonstrating a reliable way to exploit them Is this a requirement for most bug bounty programs? Particularly the “reliable” bit? |
|
|
| ▲ | bicepjai 3 hours ago | parent | prev | next [-] |
| So basically Firefox is not affected ? |
| |
| ▲ | hdgvhicv 2 hours ago | parent | next [-] | | The listed browsers are basically skins on top of the same chromium base. It’s why Firefox and Safari as so important despite HN’a wish they’d go away. | | |
| ▲ | autoexec an hour ago | parent | next [-] | | HN doesn't want firefox to go away. HN wants firefox to be better, more privacy/security focused, and to stop trying to copy chrome out of the misguided hope that being a poor imitation will somehow make it more popular. Sadly, mozilla is now an adtech company (https://www.adexchanger.com/privacy/mozilla-acquires-anonym-...) and by default firefox now collects your data to sell to advertisers. We can expect less and less privacy for firefox users as Mozilla is now fully committed to trying to profit from the sale of firefox users personal data to advertisers. | | |
| ▲ | ddtaylor 12 minutes ago | parent [-] | | As a 25 year Firefox user this is spot on. I held out for 5 years hoping they would figure something out, but all they did was release weird stuff like VPNs and half baked services with a layer of "privacy" nail polish. Brave is an example of a company doing some of the same things, but actually succeeding it appears. They have some kind of VPN thing, but also have Tor tabs for some other use cases. They have some kind of integration with crypto wallets I have used a few times, but I'm sure Firefox has a reason they can't do that or would mess it up. You can only watch Mozilla make so many mistakes while you suffer a worse Internet experience. The sad part is that we are paying the price now. All of the companies that can benefit from the Chrome lock in are doing so. The web extensions are neutered - and more is coming - and the reasons are exactly what you would expect: more ads and weird user hostile features like "you must keep this window in the foreground" that attempt to extract a "premium" experience from basic usage. Mozilla failed and now the best we have is Brave. Soon the fingerprinting will be good enough Firefox will be akin to running a Tor browser with a CAPTCHA verification can for every page load. |
| |
| ▲ | wvbdmp an hour ago | parent | prev [-] | | Particularly weird impulse for technically inclined people… Although I must admit to the guilty pleasure of gleefully using Chromium-only features in internal apps where users are guaranteed to run Edge. |
| |
| ▲ | zozbot234 2 hours ago | parent | prev | next [-] | | Firefox is safe from this because their CSS handling was the first thing they rewrote in Rust. | | |
| ▲ | bawolff an hour ago | parent [-] | | I mean, even if it was written in c or c++, its unlikely two separate code bases would have the exact same use after feee vuln. |
| |
| ▲ | jsheard 3 hours ago | parent | prev | next [-] | | Firefox and Safari are fine in this case, yeah. | |
| ▲ | DetroitThrow 3 hours ago | parent | prev [-] | | It's pretty hard to have an accidental a use after free in the FireFox CSS engine because it is mostly safe Rust. It's possible, but very unlikely. | | |
| ▲ | topspin 2 hours ago | parent | next [-] | | That came to my mind as well. CSS was one of the earliest major applications of Rust in FireFox. I believe that work was when the "Fearless Concurrency" slogan was popularized. | |
| ▲ | moritzwarhier 2 hours ago | parent | prev [-] | | Firefox and Safari developers dared the Chromium team to implement :has() and Houdini and this is the result! /s |
|
|
|
| ▲ | deanc an hour ago | parent | prev | next [-] |
| Presumably this affects all electron apps which embed chrome too? Don’t they pin the chrome version? |
| |
| ▲ | comex an hour ago | parent [-] | | Yes, but it's only a vulnerability if the app allows rendering untrusted HTML or visiting untrusted websites, which most Electron apps don't. |
|
|
| ▲ | pjmlp 2 hours ago | parent | prev | next [-] |
| Yeah, but lets keeping downplaying use-after-free as something not worth eliminating in 21st century systems languages. |
| |
| ▲ | pheggs 2 hours ago | parent [-] | | I love rust but honestly I am more scared about supply chain attacks through cargo than memory corruption bugs. The reason being that supply chain attacks are probably way cheaper to pull off than finding these bugs | | |
| ▲ | cogman10 2 hours ago | parent | next [-] | | If you can bring in 3rd party libraries, you can be hit with a supply chain attack. C and C++ aren't immune, it's just harder to pull off due to dependency management being more complex (meaning you'll work with less dependencies naturally). | | |
| ▲ | skydhash an hour ago | parent [-] | | You’ll find more quality libraries in C because people don’t care about splitting them down to microscopic parcels. Even something like ‘just’ have tens of deps, including one to check that something is executable. https://github.com/casey/just/blob/master/Cargo.toml That’s just asking for trouble down the line. | | |
| ▲ | bigfatkitten 24 minutes ago | parent | next [-] | | You also won’t typically find C/C++ developers blinding yolo’ing the latest version of a dependency from the Internet into their CI/CD pipeline. They’ll stick with a stable version that has the features they need until they have a good reason to move. That version will be one they’ve decided to ship themselves, or it’ll be provided by someone like Debian or Red Hat. | |
| ▲ | pheggs 37 minutes ago | parent | prev [-] | | yes, the average amount of dependencies used per dependency appears to be much larger in rust and thats what I meant and is worrying me. In theory C can be written in a memory safe manner, and in theory rust can be used without large junks of supply vulnerabilities. both of these are not the case in practice though |
|
| |
| ▲ | kibwen 2 hours ago | parent | prev | next [-] | | But this is irrelevant. If you're afraid of third-party code, you can just... choose not to use third-party code? Meanwhile, if I'm afraid of memory corruption in C, I cannot just choose not to have memory corruption; I must instead simply choose not to use C. Meanwhile, Chromium uses tons of third-party Rust code, and has thereby judged the risk differently. | | |
| ▲ | JoeAltmaier 2 hours ago | parent [-] | | Maybe it's more complicated than that? With allocate/delete discipline, C can be fairly safe memory-wise (written a million lines of code in C). But automated package managers etc can bring in code under the covers, and you end up with something you didn't ask for. By that point of view, we reverse the conclusion. | | |
| ▲ | nagaiaida 44 minutes ago | parent | next [-] | | yes, people often invoke "simply write safer c" but that doesn't make it any more realistic of a proposition in aggregate as we keep seeing. | |
| ▲ | stackghost an hour ago | parent | prev [-] | | >With allocate/delete discipline, C can be fairly safe memory-wise (written a million lines of code in C) The last 40-50 years have conclusively shown us that relying on the programmer to be disciplined, yourself included, does not work. |
|
| |
| ▲ | staticassertion 2 hours ago | parent | prev [-] | | Google already uses `cargo-vet` for rust dependencies. | | |
| ▲ | pheggs 2 hours ago | parent [-] | | thats good, but it wont eliminate the risk | | |
| ▲ | staticassertion 2 hours ago | parent [-] | | Nothing eliminates the risk but it is basically a best-in-class solution. If your primary concern is supply chain risk, there you go, best in class defense against it. If anything, what are you doing about supply chain for the existing code base? How is cargo worse here when cargo-vet exists and is actively maintained by Google, Mozilla, and others? | | |
| ▲ | pheggs 32 minutes ago | parent [-] | | true, but rusts success in creating an easy to use dependency manager is the curse. In general rust software seems to use a larger amount of dependencies than c/c++ due to that, where each is at risk of becoming an attack vector. my prediction is that we will see some abuse of this in future, similar to what npm experienced |
|
|
|
|
|
|
| ▲ | waynesonfire 3 hours ago | parent | prev [-] |
| "Actually, you forgot Brave." |
| |
| ▲ | mpeg 3 hours ago | parent [-] | | I quoted directly from NIST, there's many other browsers and non-browsers that use chromium | | |
| ▲ | sumtechguy an hour ago | parent | next [-] | | Steam and VSCode pop into my mind. | |
| ▲ | waynesonfire 2 hours ago | parent | prev [-] | | It was intended as a joke reference to the 2004 Kerry / Bush debate. It's not a coincidence that Google would leave off an ad-blocking variant of Chrome. | | |
| ▲ | order-matters 2 hours ago | parent | next [-] | | they listed the top 3 most popular chromium browsers, covering 90%+ of chromium users | | | |
| ▲ | pear01 2 hours ago | parent | prev [-] | | did you also take poland being omitted to be some sort of conspiracy? seems you missed the point of why that "Actually, you forgot..." moment became such a punchline. Like it or not Brave is a very niche browser with rather insignificant market share why you would expect them to be mentioned in the first place is entirely lost on me. there are dozens of chromium forks also with under 1% market share, should we be forced to mention them all? |
|
|
|
