Question for tech people about video security.

[sparkoflife]

So some videos "call home" when played. They somehow contact their maker over the internet and reveal your IP. How does this work? Do you have to have a browser window open? Can they just make their own internet connection? Is there a way to tell if a video can do this without playing it?

 

[Ookami]

The only way to do that I can think of right now is to have an exploit for the video player in the video and patching your video player helps there. But I'm no specialist. There might be some DRM stuff there that does that or functions for getting metadata.

 

[ryirkil]

I would be much more concerned about running javascript.

 

[sparkoflife]

Ah so it's the player. I don't run java and my player is up to date so I guess I don't have to worry about this. Thank you.

 

[ryirkil]

Javascript, not java. Judging by this mistake, you probably don't know what it is exactly and probably do run it without knowing. It's a language that allows to run code on the browser, commonly used to make things like moving interface elements. Most sites don't work without it (this one does). It's heavily sandboxed but it's still a programming language. In firefox you can install noscript to disable it and make exceptions.

 

[sparkoflife]

Oh I've got no script running. My strategy with any kind of video is download and watch offline.

 

[nvgrco]

Does disconnecting wifi work to prevent these videos to "call home"?

 

[captainglizz132]

I mean theoretically downloading a video could do the same thing if the site is running JavaScript

 

[ryirkil]

Does disconnecting wifi work to prevent these videos to "call home"?

It should. But the exploit @Ookami described is basically a remote code execution, in which case sending information where you are is the last thing you should be worried about, it gives a lot of access to your computer.

I mean theoretically downloading a video could do the same thing if the site is running JavaScript

No. Downloading a video is the same as downloading any file. Until you open it, it's 100% safe. JavaScript is being run the moment you enter the website, you don't have to do anything else.

 

[captainglizz132]

It should. But the exploit @Ookami described is basically a remote code execution, in which case sending information where you are is the last thing you should be worried about, it gives a lot of access to your computer.



No. Downloading a video is the same as downloading any file. Until you open it, it's 100% safe. JavaScript is being run the moment you enter the website, you don't have to do anything else.

Yeah but the button to download a video could fire off a script when clicked, no?

 

[Ookami]

Scripts fired off in your browser are under normal circumstances no problem - they're an essential part of how the web works and malignity is thought off - a script only has access to what it needs to function. It's only a problem because it can initiate the parsing of files - like showing pictures or videos and because the parser might have an error that allows to break out of that privilege level. Those happen but an actual attack has to use an unknown way to do that. Every time you update your browser or media players that fixes those bugs that are known at that time - just for new functions you'd rarely have to update. So yes, the video download button might take over your PC - but that is only if someone with the knowledge of such zero day vulnerabilities made that button and that one usually could sip cocktails on his own island for the rest of his life if he sold that knowledge instead of harming you personally.

 

[ryirkil]

Good to mention: flash (.swf extension) is famous for having tremendous amounts of vulnerabilities. But it's been decommissioned and harder to come by over time.

 

[captainglizz132]

Scripts fired off in your browser are under normal circumstances no problem - they're an essential part of how the web works and malignity is thought off - a script only has access to what it needs to function. It's only a problem because it can initiate the parsing of files - like showing pictures or videos and because the parser might have an error that allows to break out of that privilege level. Those happen but an actual attack has to use an unknown way to do that. Every time you update your browser or media players that fixes those bugs that are known at that time - just for new functions you'd rarely have to update. So yes, the video download button might take over your PC - but that is only if someone with the knowledge of such zero day vulnerabilities made that button and that one usually could sip cocktails on his own island for the rest of his life if he sold that knowledge instead of harming you personally.

what I’m speaking of is what’s stopping a button click (that say download a video) from firing off a http request to send some data about the downloader to a server?
In that example the request could send over user data unknowingly

 

[Ookami]

It's that the program runs in a box and that this box is all that is known to the program. Problematic data are more of the sort like "The combination of sent screen resolution from the browsers perspective with the installed fonts etc. can be compared to another similar fingerprint we have in another database - so tracking against other websites you use in the same browser whichs scripts might also make that database entry that's shared across companies with contracts to do so with your consent." The program can't access your position or files without making a request for them.