by matusfaro on 9/11/23, 4:06 PM with 54 comments
I find myself wanting to use online format parsers to quickly decode that production JWT or decode a base64 Authorization header but cannot trust these websites to not leak my information. I thought to myself if only I could cut-off network access to this site, use it offline, and then throw away all browsing data. So I created an extension just for that.
It uses Firefox contextual identities API (Containers) to isolate browsing data and inter-tab communication. Once the site is fully loaded, I then inject bogus proxy settings for any requests leaving that container to effectively cut-off network access. And once I'm done, I simply delete the Container.
Use Cases:
* Parse a live JWT token
* Convert a Base64 Authorization header
* Hash a password
* Parse a Protobuf message
* Submit my name and birthdate to estimate my date of death
Check out the MIT source code on GitHub [1] and install QuaranTab from the Firefox store [2]. If anyone is interested in a discussion, I'd love to chat about:
1. Any ideas on how we could implement this in Chromium? Using private window as a "Container"?
2. Can you come up with an exploit? I posted a 100usd bug bounty [3] if you find one!
3. Is there any way to prove an extension in the store was built from source in GitHub? I am imagining some kind of third-party escrow service managing the Firefox store account and building from specific public git repository.
1. https://github.com/matusfaro/quarantab
2. https://addons.mozilla.org/en-US/firefox/addon/quarantab/
by matusfaro on 9/11/23, 7:59 PM
Thank you "dz2742" for finding out [1] existing connections including websockets are not terminated and has won 100 USD! This is exactly the type of exploit I was hoping to catch.
Now I have to figure out how to fix that :) And also think about refilling the bug bounty pool without becoming very poor very soon.
by ravenstine on 9/11/23, 4:36 PM
by justin_oaks on 9/11/23, 8:26 PM
There is an online version [1] but it doesn't submit any data to any servers. It only loads JS for the operations it needs to perform.
You can also download it and run it offline [2]. This is what I do.
I'll leave it up to you to decide if this makes QuaranTab unnecessary or if it's the perfect reason to use QuaranTab.
by danShumway on 9/12/23, 12:44 AM
If you do want to go down that route, using the blocking `webRequest` to record responses and stick them into storage and then re-serve them from the cache would possibly be the best way to go about it. At that point though I'd probably advise seeing if you could get off of `<all_urls>` as a required permission? And I haven't ever played with blocking network requests for websockets, so I'm not sure if they'd require separate handling.
Just a thought. But regardless, thanks for sharing :)
by danShumway on 9/12/23, 12:27 AM
This is (in theory) part of Mozilla's review process, and depending on how the extension is submitted they can (I've heard) be fairly strict about it. But it's not user-facing at all and I don't know how universally they review source code.
It really needs to be fixed from Mozilla's end though; I don't see much reason to get a 3rd-party involved instead of to lobby Mozilla to add some kind of process on its own that's more prominent. A 3rd-party verification service would be possible (you'd just download the extension from Mozilla's servers and extract it, re-run the build process and check to see if the artifacts matched), and in theory you could even have a completely separate extension store from Mozilla's -- as long as the extensions are signed you can host them anywhere, and there's nothing preventing you from getting other extensions built from source signed. You could have a pseudo-F-Droid addon store that distributed Mozilla-signed extensions you've pulled from Git and built yourself.
But... I mean, I just feel like it's something we should lobby Mozilla to do, they're in the best position to do it and in the best position to have the most impact if they do.
by necovek on 9/11/23, 4:13 PM
It would certainly be nice to get something ala F-droid for free software extensions like yours (which guarantees source code matches built package IIRC), as a response to your question 3.
I am sure one can create an alternative extensions store in FF and change some config in about:config to use it, though it's likely non-trivial.
by solardev on 9/11/23, 5:17 PM
Totally off topic, but curious how this works? Nationality and life expectancy? Sex at birth? Assassins for hire?
by solardev on 9/11/23, 5:25 PM
2. Exploit idea (not trying for the bounty, just thinking aloud). I wonder if a website could play background music (or a video) with stenographically encoded data, then another tab could listen to it with microphone permissions on and decode it that way. I'm thinking like a fake video conferencing site, or malicious telephony how-to doc that deals with API calls and such and links to a fake password hasher that then plays the audio for the first tab to hear. Convoluted, I know, just an idea.
by wazzaps on 9/12/23, 11:51 AM
This only works if you have one tab of this website, since tabs of the same website can message each other (and exfiltrate data).
Also useful for debugging frontend bugs in "destructive" operations in production :)
by justin_oaks on 9/12/23, 3:43 PM
by madacol on 9/12/23, 7:59 AM
by icar on 9/12/23, 9:55 PM
by stainablesteel on 9/11/23, 7:03 PM
the same way you can silence the sound output of a tab you should have as simple and reliable a tool to stop communication to either the network, os or both.
i'd love a tool to see which tabs are talking with each other also
by webstrand on 9/11/23, 7:56 PM
by mikae1 on 9/11/23, 8:16 PM