Labs and production machines are separate machines. An attack on labs in the worst case would only be able to attack other labs users.
As Cyken said, one of the very scary scenarios is js getting access to data it should not have access to (e.g. if your inputting your password in one tab and a malicious site is in a different tab). The Spectre paper has a proof of concept they say worked to extract private memory against (a now outdated) version of google chrome.
All this is to say, you should update your browser ASAP or ensure that autoupdates are enabled. Similarlarly for your OS as updates become available.
-- bawolff
On Thursday, January 4, 2018, Denny Vrandečić vrandecic@gmail.com wrote:
Ah, that sounds good. I was thinking of a scenario where someone runs code in, say labs, and gains access to memory while that machine generates my temporary code to send it to me, and thus gains access to that code.
Or, alternatively, just attack my browser through a compromised site running a JS exploit and gaining access to anything in my memory. But that's on my side to fix (or, rather, on the browser developers).
One way or the other, I have set up 2FA for now.
Use more lynx!
On Thu, Jan 4, 2018 at 10:18 AM Cyken Zeraux cykenzeraux@gmail.com
wrote:
Spectre can be exploited in just only javascript.
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-t...
Browsers are making changes to mitigate this.
http://www.tomshardware.com/news/meltdown-spectre-exploit-browser-javascript...
The actual extents of the attack that are realistically possible in this scenario, I do not know. But as stated in the article google suggests: "Where possible, prevent cookies from entering the renderer process'
memory
by using the SameSite and HTTPOnly cookie attributes, and by avoiding reading from document.cookie."
I would take that to mean that cookies could be accessed, at the least.
On Thu, Jan 4, 2018 at 12:16 PM, Stas Malyshev smalyshev@wikimedia.org wrote:
Hi!
So far so good. What I am wondering is whether that password reset
trial
is
actually even more dangerous now given Spectre / Meltdown?
I think for those you need local code execution access? In which case, if somebody gained one on MW servers, they could just change your password I think. Spectre/Meltdown from what I read are local privilege escalation attacks (local user -> root or local user -> another local user) but I haven't heard anything about crossing the server access barrier.
(I probably should set up 2FA right now. Have been too lazy so far)
Might be a good idea anyway :)
-- Stas Malyshev smalyshev@wikimedia.org
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l