Skip to main content
Topic: Librewolf/Firefox Browsers: Vulnerability and Exploit Exposure (Read 1816 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Librewolf/Firefox Browsers: Vulnerability and Exploit Exposure

Can Youtube video screen window size determine which vulnerabilities are available, and/or which exploits get delivered?

When Youtube loads, the user is presented with a default view.
Android and iOS, mostly cell phones, which have only 2 modes of screen size, Default Size and Full Screen. A Desktop Computer has a third choice, Letter Box.

When I watch Youtube videos on my computer I often use the Letterbox Format. In this mode most of the attacks I've experienced were while using this mode.

By which Youtube Screen Size you choose to use, others who are monitoring the traffic, Youtube also, can determine which device is viewing this content. Youtube I'm sure has other fingerprinting techniques. A local attacker, on the other hand, can sniff the packets looking for Youtube + Window Size. This would tell the attacker what exploits they can send, Desktop exploits for Letter Box, and Cell phone exploits for everything else.

I start the browser from an appimage in the terminal. Errors and warnings get printed to the terminal. At a certain quantity of Error messages, the attacks become successful and malicious software is installed that leverages the browser.

When I watch Youtube videos in the default view, there are no error messages in the terminal. I wondered where are the WebGL attacks?

When I opened the videos in Letter box, then the attacks start about 10 or 15 minutes later. To me this is an indication of someone searching the contents of the packets to identify vulnerable structures. Through observation, the WebGL exploitation only occurs when a Desktop user chooses a Letter Box screen size for Youtube videos.

If I follow this logic and I stop using the Letter Box screen size option, any 'automated exploits' being sent, will not be targeting my Desktop.

Re: Librewolf/Firefox Browsers: Vulnerability and Exploit Exposure

Reply #1
This doesn't make much sense or I'm seriously out of the game.

Re: Librewolf/Firefox Browsers: Vulnerability and Exploit Exposure

Reply #2
What is this schizo babble. There's literally nothing installed while watching youtube. No WebGL features are used on youtube at all, most of the WebGL stuff is deprecated and nobody really uses this, I have WebGL disabled, as for appimage errors, those are prolly caused by your schizo-hardened system configuration + whatever env appimage tries to recreate fails. Nothing you've said makes sense.

Re: Librewolf/Firefox Browsers: Vulnerability and Exploit Exposure

Reply #3
I have a solution (besides meds That was unfair of me so...) to your issue. Run FreeTube
Supercalifragilisticexpialidocious

Re: Librewolf/Firefox Browsers: Vulnerability and Exploit Exposure

Reply #4
Quote from: cds – on
I have a solution (besides meds That was unfair of me so...) to your issue. Run FreeTube
https://www.youtube.com/watch?v=vSk1NL5tvG4
Shit might be blocked for real now that all of the UK censorship went into law there. Guess data hoarders are having the last laugh.

Re: Librewolf/Firefox Browsers: Vulnerability and Exploit Exposure

Reply #5
I think you could also interpret the error messages as being errors from software bugs due to some difference in running in that view mode, at points in the past YT has caused me freezes and problems when switching to full screen, while it would play OK in the normal view. Then after a while your browser operation is affected, perhaps due to memory corruption.  I almost never use that mode, perhaps it's less well tested.
 I am not sure if you have been able to determine you are being subject to malware attacks by some other means though, who knows. Perhaps you could look at installing a firewall and using antivirus and rootkit detectors, and setting up a libaudit system monitoring scheme, there are numerous possibilities to attempt to protect yourself if you feel you are being targeted.

Re the new censorship, I will add something relevant I saw recently in a new thread, as that might deserve a separate topic...    :D
 

Re: Librewolf/Firefox Browsers: Vulnerability and Exploit Exposure

Reply #6
Why not good old RSS+yt-dlp+mpv?

Re: Librewolf/Firefox Browsers: Vulnerability and Exploit Exposure

Reply #7
Quote from: darcy – on
Why not good old RSS+yt-dlp+mpv?
I might assume that for the OP, its just easier to point, click, consume opposed to the extra steps that "might" be needed

"might" being defined as in not having scripted something to do most if not all of it for you.
Supercalifragilisticexpialidocious

Re: Librewolf/Firefox Browsers: Vulnerability and Exploit Exposure

Reply #8
Quote from: ####### – on
I think you could also interpret the error messages as being errors from software bugs due to some difference in running in that view mode, at points in the past YT has caused me freezes and problems when switching to full screen, while it would play OK in the normal view. Then after a while your browser operation is affected, perhaps due to memory corruption.  I almost never use that mode, perhaps it's less well tested.
 I am not sure if you have been able to determine you are being subject to malware attacks by some other means though, who knows. Perhaps you could look at installing a firewall and using antivirus and rootkit detectors, and setting up a libaudit system monitoring scheme, there are numerous possibilities to attempt to protect yourself if you feel you are being targeted.

Re the new censorship, I will add something relevant I saw recently in a new thread, as that might deserve a separate topic...    :D
This is what I'm experiencing, a specific viewing mode, letterbox, provides more 'bugs', 'memory corruption issues', which are presented in the terminal output. Most are WebGL shared context, that, if it's an attacker, may be working to access other resources or tabs. During these events I most commonly receive resource starvation because my RAM becomes full, a Denial of Service condition.
Under the same conditions, only using the default YT viewing mode, no resource exhaustion occurs. From my perspective, using the Letterbox viewing mode has been associated with greater amounts of problems.

I do have yt-dlp, using it as an alternative to see what difference there would be. This revealed some issue regarding audio, downloading at a different rate, the video and audio were out of sync by a lot.

Now that I've been running the default viewing mode as a solution against resource starvation, there are new entries which search suggests is related to audio. Like the yt-dlp issues the YT video and audio were out of sync during these error message outputs.
Code: [Select]
[Child 7396, MediaDecoderStateMachine #1] WARNING: Decoder=7ff35c015d00 state=DECODING_METADATA Decode metadata failed, shutting down decoder: file /root/.local/share/bsys6/work/librewolf-141.0-1/dom/media/MediaDecoderStateMachine.cpp:371
[Child 7396, MediaDecoderStateMachine #1] WARNING: Decoder=7ff35c015d00 Decode error: NS_ERROR_DOM_MEDIA_METADATA_ERR (0x806e0006) - static MP4Metadata::ResultAndByteBuffer mozilla::MP4Metadata::Metadata(ByteStream *): Cannot parse metadata: file /root/.local/share/bsys6/work/librewolf-141.0-1/dom/media/MediaDecoderStateMachineBase.cpp:168


Things which improved the problems I have been experiencing:
XLibre, using this has made recovering from resource exhaustion workable. With Xserver I had to do an emergency boot procedure to recover.
Using Librewolf appimage run in the terminal with the profile in a tmp directory helps me to see when errors are occurring so I can take appropriate action.
Watching YT videos in the default viewing mode apparently limits corruptable states.

Re: Librewolf/Firefox Browsers: Vulnerability and Exploit Exposure

Reply #9
Quote from: nous – on
This doesn't make much sense or I'm seriously out of the game.
When I'm short on time, I write brain dumps, that are raw unfiltered out of order contents of all the thoughts I have on an issue or subject. In High School English class it was called brain storming.
Usually, I write them in mousepad or other editor, then restructure it into an assimilable format.
I thought I would have time to restructure the post before comments began to appear. Unfortunately, I had to enter a wipe and reinstall scenario between then and now.
The Reshaeem (Wicked People) are making my life difficult. It is what it is.

Re: Librewolf/Firefox Browsers: Vulnerability and Exploit Exposure

Reply #10
If I try to play uncompressed 4k videos from my HDD, not some limited stream from online, I get errors saying your hardware is too slow, and the video might not play correctly and the audio  goes out of sync, this can also happen playing 2.7K videos if they are in h265 not h264, because it takes more power to decode those and that encoding is not so optimized in software or so well supported in older graphics chips. You could try alternative software as far as is possible to try and see if anything in particular is causing the problem and check if there is anything you can do to improve the graphics support, or sometimes turning hw acceleration off entirely in your browser, desktop, and elsewhere might help. If you are concerned your CPU is being used by malware for cryptomining or something, it might require other approaches.

Re: Librewolf/Firefox Browsers: Vulnerability and Exploit Exposure

Reply #11
Quote from: Shoun2137 – on
most of the WebGL stuff is deprecated and nobody really uses this, I have WebGL disabled

May I ask what do you meanby deprecated?  AFAIK it's enabled by default on FF, and I believe chromium.  Librewolf has it disabled by default although arkenfox dooesn't and AFAIK neither does the Phoenix project similar to arkenfox.  But it was considered a a security risk before, and more than that a way of fingerprinting.  There's an arch wiki recommending disabling webGL for that same reason.

I've been using Librewolf for some time now (can't remember, more than a year for sure) and I actually haven't found issues with webGL in particular, even combined with RFP which I recently overwritten to use FPP instead with everything enabled (almost the same as RFP) except for CSSPrefersColorScheme, FrameRate, and JSLocale.

So I'm not aware the webGL was deprecated, but rather that it should be disabled if one opts for less fingerprinting.  On the webGL wiki what is mentioned about deprication is not about webGL but rather about:

Quote
Like OpenGL ES 2.0, WebGL lacks the fixed-function APIs introduced in OpenGL 1.0 and deprecated in OpenGL 3.0.

Actually there's a 2.0 webGL already...

Re: Librewolf/Firefox Browsers: Vulnerability and Exploit Exposure

Reply #12
Quote from: kixik – on
Quote from: Shoun2137 – on
most of the WebGL stuff is deprecated and nobody really uses this, I have WebGL disabled
May I ask what do you meanby deprecated?
WebGPU is superseding this. Try actually using any of the WebGL 1.0 features in-browser and you'll hit a lot of deprecation warnings. A lot of "This may be slow." warnings. Any self-respecting wasm project needs to bootstrap wrappers in javascript for any GPU related workloads which is just abysmal and it's by WebGL's design and fault. It's ancient at this point and shouldn't be used. Yes, we are kinda stuck with WebGL 2.0, but not for long, it's just a matter of browser vendors supporting WebGPU properly.

Re: Librewolf/Firefox Browsers: Vulnerability and Exploit Exposure

Reply #13
Quote from: Shoun2137 – on
WebGPU is superseding this. Try actually using any of the WebGL 1.0 features in-browser and you'll hit a lot of deprecation warnings. A lot of "This may be slow." warnings. Any self-respecting wasm project needs to bootstrap wrappers in javascript for any GPU related workloads which is just abysmal and it's by WebGL's design and fault. It's ancient at this point and shouldn't be used. Yes, we are kinda stuck with WebGL 2.0, but not for long, it's just a matter of browser vendors supporting WebGPU properly.

Ah, I see, you mean when available on gnu+linux webGPU will make webGL obsolete, :)  I'm wondering if from a fingerprinting perspective that will even be worse than webGL,  :-\  browserleaks mentions it, several concerns are also expressed on this hackaday post and some concerns are also expressed on hacker news 35465935 and 42031463 for example, the last motivated over a nvidia security vulnerability.  But replacing openGL with vulkan and webGL with webGPU doesn't seem by itself to make things any better on the privacy front, :(  Still, I'll have to wait to see what will be the Librewolf folks reaction.  Without webGL I can't feel slowness on Librewolf, not sure if webGPU will make the difference between with and without really drastic.

Thanks a lot !