Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
lotd7775227dSo you’re saying, instead of sneaking payloads in with jpeg & other containers, I can just embed it in a font?
Sounds like it’s time to update the inspections for disassembling fonts. -
devRancid648226d> It's only a matter of time until someone embeds a cryptominer in a font file.
Sure someone might do it, buts it's useless without network access -
vintprox5629226d@devRancid Hm, author of that post is known to overestimate the effects... If it's programming in fonts, I suppose API provided is very limited. I'm yet to find out what it's supposed to operate on that variable fonts can't do.
-
12bitfloat9374223dWeb assembly is very sandboxed. In fact you CAN'T even access files or anything of value since those APIs aren't even standardized yet lol
I don't really see how this is a big problem apart from the insane over engineering just to layout a damn font -
lorentz15174222d@devRancid @12bitfloat @vintprox Unfortunately, since Spectre came about, any language that's fast enough is an attack vector. Yes you need an exfil path, but you can time the script by defining something in CSS that has a background image and is only visible once the font is correctly laid out, or something of that nature, so exfil really isn't as difficult as it sounds when your information is presented as render delay.
-
lorentz15174222dthere was a trick in JS, widely publicized recently, to improve the low-res clock to the point where it can be used for cache timing attacks.
Related Rants
Everyone's gangsta until common text shaping engine allows Wasm in font files.
Wait... https://mastodon.social/@schizanon/...
rant
who asked
gone wrong
harfbuzz
webassembly
security concern