That second link is seriously scary, how would you ever avoid falling for that? Does anyone know how it works? Going to https://tranquil-bits.surge.sh I'm guessing I'm seeing the attacker's form, but it has duckduckgo.com/vpn as the URL and https.
Edit: If you click submit on the VPN form you get "This could have been a phishing page." so it's definitely the attacker's form, that's crazy.
The problem is the XSS vulnerability. This means the attacker can run arbitrary JS on the site, which I assume is used in the second link to modify the form handlers to run the "This could have been a phishing page.". And yes, that could be used to send the credentials somewhere.
There isn't anything you can do to spot this. This is on DuckDuckGo to fix and they not responding to the report for such long time is irresponsible and not really excusable.
We have corresponded many times about this issue, and have made many changes over that period.
It's not as simple as just shutting down the open proxy because we need an open proxy to adequately protect users' privacy on our site, e.g. for image search. It just needs to be more locked down and more obvious it is a proxy, which we are doing right now (half done already -- CSP rolled out fully, new domains in process).
We are working on further fixing this issue. We require an open proxy in some form to protect our users' privacy, though it should be more locked down and more obvious it is a proxy.
Wow. The example in the tweet would completely fool me. If you just go to the address bar and press enter ("reloading" the page, but actually going to the address), you can see it's just a search.
Thank you, just the push I've been needing. As of this moment, I'm off to ixquick/startpage, which for one thing doesn't require me to go all laid-back and inclusive on the JavaScript, and which for another has those nifty proxy-links.
Can someone explain what I'm seeing? As far as I can tell, both those links really do leave me on DDG webpages. The only requests according to firebug are to duckduckgo.com. What am I missing (or has this since been fixed)?
[+] [-] mcintyre1994|8 years ago|reply
Edit: If you click submit on the VPN form you get "This could have been a phishing page." so it's definitely the attacker's form, that's crazy.
[+] [-] discordianfish|8 years ago|reply
There isn't anything you can do to spot this. This is on DuckDuckGo to fix and they not responding to the report for such long time is irresponsible and not really excusable.
[+] [-] _Codemonkeyism|8 years ago|reply
"Reported in March 2017, emailed them 9 times about the issue since then. Still unfixed as of now."
[+] [-] yegg|8 years ago|reply
It's not as simple as just shutting down the open proxy because we need an open proxy to adequately protect users' privacy on our site, e.g. for image search. It just needs to be more locked down and more obvious it is a proxy, which we are doing right now (half done already -- CSP rolled out fully, new domains in process).
[+] [-] cholantesh|8 years ago|reply
[+] [-] yegg|8 years ago|reply
[+] [-] minitech|8 years ago|reply
Which feature relies on this?
[+] [-] la_oveja|8 years ago|reply
No fancy quick-result box, but fast as lightning.
[+] [-] slazaro|8 years ago|reply
[+] [-] drake01|8 years ago|reply
[+] [-] interfixus|8 years ago|reply
[+] [-] helenius|8 years ago|reply
Adding to Firefox is easy via https://addons.mozilla.org/en-US/firefox/addon/duckduckgo-ht...
[+] [-] NLips|8 years ago|reply
[+] [-] yegg|8 years ago|reply
[+] [-] t0mek|8 years ago|reply