Mark, The scenario I had in mind was: Person A (attacker), adds malicious code to his TW instance, which is accessible via the web through GitHub pages, or something similar. He then shares his wiki link with Person B, who unknowingly goes to take a look at Person A's wiki. On doing this, Person B then has this malicious JS execute on his end, thereby hacking/infecting him.
With JS, this exploit could be crafted in a variety of ways, as stated, there is already pure-JS ransomware, which, combined with some creativity, could trick the user into allowing the wiki to access the local filesystem. There is also ways of installing damaging malware to the users system (see https://en.wikipedia.org/wiki/Drive-by_download), purely from vulnerabilities like this. So this exploit can reach beyond the scope of there being someone who "can sit down at your desk and insert code." On Tuesday, August 17, 2021 at 10:30:02 AM UTC-4 Mark S. wrote: > I'm trying to understand what the problem is. > > TW isn't multi-user. If someone can sit down at your desk and insert code, > then you already have security problems way beyond code. > Likewise, if you have a publicly exposed TW that anyone can save with, > then you have security problems beyond a code hack. > > So I'm not seeing what the concern is. If someone has the ability to save > to your TW, then you already have a security breach, regardless of the > nature of the inserted code. > > > On Tuesday, August 17, 2021 at 7:21:56 AM UTC-7 R² wrote: > >> OK, got it to execute. For some mysterious reason, the first few >> keypresses didn't do anything, then a few did, I clicked elsewhere and >> modified another tiddler, the next few didn't, and when I went back to the >> malicious tiddler to get it to execute again, it hadn't recorded keypresses >> made in the other tiddler. It does seem as if it's at least partly >> sandboxed but I'll defer to the core coders, I was just curious to see what >> this was about. >> >> Best, >> R² >> > -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/7b9f49ee-8db5-42a1-a9e1-0789d54b01c8n%40googlegroups.com.
