2

I've just copy paste and run through the Scratchpad a code form the source code of a website.

I want to know if this code has more privileges when it runs through the Scratchpad of Firefox or has the same privileges as when it runs directly through the webpage.

Before pasting on Scratchpad Firefox alerts this message:

Scam Warning: Take care when pasting things you don't understand.
This could allow attackers to steal your identity or take control of your computer.

I know that there are javascript exploits that could run through a website but..

The message from Firefox seems like:

"The javascript on Scratchpad has more privileges than a Javascript of a webpage and the attackers can steal without exploits, just with standar code"

Is it true?

The same code can act differently from a website and differently from the Scratchpad in terms of security?

Or it's just like including it inside the html, with all safety measures that has the javascript inside a website?

Why Firefox alert us on Scratchpad about something that could be done anyway just by visiting a malicious webpage (potential javascript attack)?

Community
  • 1
  • 1
Zalk358
  • 53
  • 1
  • 6
  • the same code does not act differently - the only difference is, the oblivious user pastes code it doesn't understand into the context of a webpage, so giving the code the same privilege as if a hacker hacked a website and injected malicious code into the page ... code injection via oblivious wetware – Jaromanda X Jan 28 '16 at 10:53

1 Answers1

3

By default, code running in the scratchpad can do anything that JavaScript on the web site you're looking at can do, no more and no less. That means it can access your data from that site, and possibly send it somewhere else without telling you, or it can take actions pretending to be you on that site. The message you're seeing is a warning to unwary users who are not coders, to keep them from pasting malicious code that might do some of those things into the scratchpad just because someone told them to, because they won't be able to tell that the code is malicious. If you go to Facebook and look at the browser console, you'll see a similar warning explaining the same thing, because this is a fairly common type of social engineering attack.

Now, I said "by default" earlier, let me explain what I meant. It's also possible to change the scratchpad from "content" mode to "browser" mode. To do that, you have to enable the option in the developer tools settings (it's called "Enable browser chrome and add-on debugging toolboxes"), and then switch the scratchpad to Browser mode using the Environment menu. If you do those things, then the scratchpad can do anything that the browser itself, not a particular web site, can do. So the scratchpad running in that mode really does have more permissions than a web page does; it can do anything that a native application could. But content mode is the default mode, and it has exactly the same permission set as web pages do.

DrGoldfire
  • 986
  • 9
  • 13