Can a website in itself be dangerous?

security website web safe-browsing
9,589

Solution 1

Web browser are programs that can have vulnerabilities just like any other software.

This means that simply browsing a web site with a web browser that has a remote code execution vulnerability could in the worst case lead to an attacker being able to execute code with the permission of the web browser.

Modern web browsers use a sandbox system that should prevent such code from causing damage, but again these systems aren't perfect and hackers may find ways to escape from the sandbox and infect your system.

The developers of web browsers like Google, Mozilla, Apple close those vulnerabilities when they get to know them, but a number of vulnerabilities occur as "zero day vulnerabilities" which means that they are first used to attack users and then they get notices, e.g. by anti-virus companies that then inform the web browser developers. Then a fixed version has to be developed and distributed to all users, which can take some time.

In conclusion you can say that surfing web sites can harm your computer if you are unlucky and there is an unfixed vulnerability in your web browser.

As a large number of those vulnerabilities require JavaScript it is a good idea to disable JavaScript for suspicious web pages. You can do so e.g. using add-ons like NoScript.

Solution 2

If you take a look at this and previous generation of video game consoles (PlayStation 4 and 5, Xbox One and Series), the web browser is what is used to exploit bugs in the firmware to gain access to features that aren't normally available. The user who wants to exploit their console visits a specially prepared website and that's basically it. The same exploits can be used for malicious purposes.

And yes, this is a good analogy to PCs: these consoles are running an operating system like any personal computer and their browsers are based on Webkit - the same engine that powers overwhelming majority of desktop browsers*.

Why are exploits like this not so common on the PC? I suppose mostly because desktop browser vendors are much better at keeping their browser up to date. All major browsers are evergreen, ie. they auto-update to the latest version as soon as it's released. With consoles, the browser is bundled with the firmware and they don't seem to do a very good job keeping it up to date - possibly because it's more tightly integrated with the rest of the system and they can't afford to re-test everything thoroughly every time a minor patch is released.

* More precisely, Chrome and some of its relatives are powered by the Blink engine, which is based on Webkit. Firefox is the most popular Webkit-free browser as of now, but the same principles apply.

Solution 3

Websites could be dangerous if browsers have vulnerabilities. But even if there aren't any vulnerabilities in your browser, they could be dangerous depending on your definition.

  • They could exploit vulnerabilities in other websites, for example to steal your account, or bypass the firewalls between the internet and your local network. Or they simply attempt DDoS to another website using your browser, which may do damage to that website, or get you blocked from the other website, or both.
  • They could run mining scripts of a cryptocurrency.
  • They could make your system freeze simply by using a lot of resources in some cases.
  • If the link is specifically designed for you, it would leak your IP and location information, some system information and settings, and the fact that you actually clicked it, implying you have read the message.
  • In case you are hiding your activities from your ISP by using some kinds of proxies, in theory they could know you if you visit a given website, by measuring the bandwidth.
  • Might not be intended, but they could make some 3rd party ad platforms show unfriendly ads in the next days.
  • Some captcha providers say they could analyze the user's behavior and simplify the process to just one click in some cases. I don't know how it works. But if it works, in theory they could break it by copying your behavior.

Solution 4

It might not target the hardware but a website could be designed to specifically exploit the risk some people have to induced epileptic seizure and in that way actually be medically dangerous to the user. I could well see an argument that such a website would in fact be more dangerous than one that merely exploits random security flaws.

Solution 5

Yes. Even simple images without any HTML, let alone any active content, can be used to exploit vulnerabilities in image viewers, including browsers.

Here is an older example. As-is it "only" crashed the browser but I think as a general rule such bugs can potentially be used to execute code.

Share:
9,589

Related videos on Youtube

norway-yv
Author by

norway-yv

I am a student, and I work with python in maths and my free time. I also experiment a little with HTML, CSS, and JS, as well as PowerShell and CMD.

Updated on September 18, 2022

Comments

  • norway-yv
    norway-yv over 1 year

    I do understand that there is a risk of phishing, and that it downloads files that may cause harm when opened. But is there any risk of something bad happening when I simply open a website? In that case, what can happen?

  • norway-yv
    norway-yv about 2 years
    So, that means that there is virtually no danger if I use a fully updated web browser and open a link that is obviously scam a couple of weeks after I received it (except the risk of giving away personal info or similar)?
  • Robert
    Robert about 2 years
    @norway-yv Not sure what you mean by "virtually". There is danger because zero day vuln. exists (in general) and you never know when the next zero day has been found by some attackers. From the time such a vuln. has been found until your web browser receives the final patch against this vuln. you are vulnerable. This time span can be days or weeks.
  • norway-yv
    norway-yv about 2 years
    Ok, I see. Thanks for helping out!
  • Moab
    Moab about 2 years
    They called these "drive by infections" back in the day they first started. No user interaction other than visiting the malicious website.
  • Heinzi
    Heinzi about 2 years
    @norway-yv: "...a couple of weeks after I received it..." That won't make a difference: Yes, your browser will have received updates in those weeks, but the website owner can update the malware on their web site as well.
  • Keltari
    Keltari about 2 years
    while technically true, thats not what the OP was asking about
  • Jörg W Mittag
    Jörg W Mittag about 2 years
    One of the most interesting security vulnerabilities in recent times was the Spectre/Meltdown family of vulnerabilities whose researchers actually managed to construct some ECMAScript code which when compiled by V8's JIT compiler produced the necessary machine code to exploit it. While Google changed the JIT compiler even before the paper was published and thus closed the hole, this is interesting because as we know, Spectre/Meltdown allows you to access all of a computer's memory even if you are running inside of a VM, here they demonstrated that you can do that even remotely with code that …
  • Jörg W Mittag
    Jörg W Mittag about 2 years
    … runs sandboxed inside of a browser. With this particular vulnerability you could run a sandboxed web browser in sandboxed environment in a sandboxed VM and just by visiting a website and running some sandboxed "interpreted" ECMAScript code, the remote server can read all of the memory in the computer.
  • norway-yv
    norway-yv about 2 years
    But it is a good point though... It can be harmful. But not in a superuser way, more in a health way.
  • stevec
    stevec about 2 years
    @Keltari that may be so, but this answer demonstrates how creative attacks can be.
  • Andrew T.
    Andrew T. about 2 years
    The question may be ill-defined about the "danger". In this case, some other examples may include inducing heart failure (e.g. due to jump scare) or triggering PTSD (with text/image).
  • 2rs2ts
    2rs2ts about 2 years
    Familiarizing yourself with a selective JavaScript blocking add-on is one of the best things you can do to improve your personal security online, nearly as much as learning how to recognize phishing attempts and fake links. An ad blocker is also a must-have, because internet ads can contain malware–if there is a vulnerability in your browser than can be exploited by, say, having the browser load an image, then scammers will definitely put that exploit into banner ads. An otherwise safe site that sells ad space can unintentionally become a virus spreader.
  • norway-yv
    norway-yv about 2 years
    I see. But this "social engineering", how does it accomplish its goals? If I am vigilant and aware of the fact that the site is fraudulent, is it still imaginable that the "social engineering" will function?
  • Fred
    Fred about 2 years
    If you are fully aware that it is a fraudulent website then social engineering won't get much from you. But the website can use information gained about your browser, OS, IP address, computer and etc. to find vulnerabilities on your computer, other computers and devices on your network, and check for holes in your firewall. How does it do this? By running scripts without your knowledge. Because they can run scripts on your computer means they can do damage even though you didn't download anything.
  • Fred
    Fred about 2 years
    It is also possible that the fraudulent website has a signed certificate. Making it even harder to identify that the website is indeed fraudulent.
  • norway-yv
    norway-yv about 2 years
    @AndrewT. I am inclined to agree, but that is a bit like answering "do it by hand" on StackOverflow: SuperUser is there for IT questions and answers, and then I think it is obvious that I meant "to your computer or similar" because that is what this site is about.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Possible values for X-Requested-With header?
How to run php script in png/jpg extension
How to Download Files From 115.com?
HTTP Slow Post and IIS settings to prevent
How to find a file location from a web browser
How do I find the static IP of a website?
How to check whether my browser is IPv6 enabled?
Unique Browser / User ID?
How can I check if a website is publicly accessible?
What are the "hidden" redirect pages some websites use when clicking on links?