Labs and production machines are separate machines. An attack on labs in
the worst case would only be able to attack other labs users.
As Cyken said, one of the very scary scenarios is js getting access to data
it should not have access to (e.g. if your inputting your password in one
tab and a malicious site is in a different tab). The Spectre paper has a
proof of concept they say worked to extract private memory against (a now
outdated) version of google chrome.
All this is to say, you should update your browser ASAP or ensure that
autoupdates are enabled. Similarlarly for your OS as updates become
available.
--
bawolff
On Thursday, January 4, 2018, Denny Vrandečić <vrandecic(a)gmail.com> wrote:
Ah, that sounds good. I was thinking of a scenario
where someone runs code
in, say labs, and gains access to memory while that machine generates my
temporary code to send it to me, and thus gains access to that code.
Or, alternatively, just attack my browser through a compromised site
running a JS exploit and gaining access to anything in my memory. But
that's on my side to fix (or, rather, on the browser developers).
One way or the other, I have set up 2FA for now.
Use more lynx!
On Thu, Jan 4, 2018 at 10:18 AM Cyken Zeraux <cykenzeraux(a)gmail.com>
wrote:
> Spectre can be exploited in just only javascript.
>
>
>
>
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-…
>
> Browsers are making changes to mitigate this.
>
>
>
http://www.tomshardware.com/news/meltdown-spectre-exploit-browser-javascrip…
>
> The actual extents of the attack that are realistically possible in this
> scenario, I do not know. But as stated in the article google suggests:
> "Where possible, prevent cookies from entering the renderer process'
memory
by using the
SameSite and HTTPOnly cookie attributes, and by avoiding
reading from document.cookie."
I would take that to mean that cookies could be accessed, at the least.
On Thu, Jan 4, 2018 at 12:16 PM, Stas Malyshev <smalyshev(a)wikimedia.org>
wrote:
Hi!
> So far so good. What I am wondering is whether that password reset
trial
is
actually even more dangerous now given Spectre /
Meltdown?
I think for those you need local code execution access? In which case,
if somebody gained one on MW servers, they could just change your
password I think. Spectre/Meltdown from what I read are local privilege
escalation attacks (local user -> root or local user -> another local
user) but I haven't heard anything about crossing the server access
barrier.
(I probably should set up 2FA right now. Have
been too lazy so far)
Might be a good idea anyway :)
--
Stas Malyshev
smalyshev(a)wikimedia.org
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l