What security holes are introduced by clicking an unknown link?
Assuming there are no remotely exploitable vulnerabilities in your browser (including any of the plugins), in your AV software, in your operating system, in your router... there's no danger. :)
I am being coy, obviously, but I'm not bending the truth by much. If you're keeping your workstation software updated, chances are you're pretty immune against most things the Internet would be throwing at you. Drive-by exploitation attempts sent out en masse (or self-propagating ones, like worms) usually try to exploit old vulnerabilities, in hopes to catch people who haven't been applying security updates.
On the other hand, if you're a valuable enough target for someone to be targeting you directly, then you have to be a lot more cognizant and careful about clicking random links, because someone may attempt to use so-called "0-day" exploits on you. These would be exploits that are either not known to security researchers, or known but without known fixes/AV signatures/etc. Security-conscious people usually have a sandboxed environment (a fully isolated virtual machine, for example) for opening links they deem suspicious, but it's obviously overkill for most people. Your browser includes significant defences against malicious content that could be harmful to your system, and if you've been careful about keeping your operating system and your browser updated with the latest patches, you're probably okay.
A few:
Driveby browser attacks: This is where an attacker exploits a vulnerability in your browser and from there can exfiltrate information from your browser or more likely execute code on your machine.
CSRF: They can send requests to sites (that don't have CSRF protection) that you're already logged into by having you click a button (this is not always necessary). Sometimes if the site an attacker is making you interact with is very poorly designed they could make you do things on that site through an image tag, for example: .
Attacking your internal network or router. Attackers can request resources behind your firewall because your browser is behind your firewall. They can also attack your router (routers are notoriously vulnerable to attackers who are on the same network as the router, check out this site http://www.routerpwn.com/). An attack like this would often be aided by something like DNS rebinding. The most common thing an attacker would do when they attack your router is changing the routers DNS server or proxy settings so that they can MITM your traffic.
An attacker could also attack any web servers running on your machine. All kinds of applications run web servers on your machine that you likely don't even know about. Recently an exploit was discovered in the torrent UTorrent that would allow an attacker to run code on a users machine through requests to a server that UTorrent ran on users machines (source). Another example is the recent Kaspersky vulnerability that did the same thing.
An attack could also attack local applications by interacting with said application through its custom URI For example, the recent Exodus wallet RCE (https://hackernoon.com/exploiting-electron-rce-in-exodus-wallet-d9e6db13c374)
To make this answer more general, I removed the actual domains: the links tend to expire shortly when the administrator of the compromised site responds to the problem.
I'm curious about this specific case. --
curl
'ing -- seemingly useless -- obfuscated javascript
This http://example.com/administrator/components/com_falang/inferentialj.html
can been seen as a entry point. It contains seemingly unharmful obfuscated JavaScript that doesn't per se contain anything directly malicious. Many of these tries to look like a completely normal CMS component or plugin, and some even only activate on a certain condition, like when someone visits the site for the firs time. All this is for survival: for hiding from the site administrator as long as possible. The only purpose for the entry point may be to redirect the user to somewhere else, as is the case now.
What happens next may also vary depending on the conditions, to complicate the investigation. The next site may be configured to give the actual payload only when an actual browser access it, or only if the browser's user agent matches something that could be exploited. It may give different contents when user agent is e.g. curl/7.52.1
, so obfuscating the user agent using curl -A
may become handy. The next URL http://example.net/?s=27012018&a=401336&c=cpcdiet
gives an empty reply to curl
, while Google Chrome gets a new HTTP redirect:
Location: http://example.net/all/gcqs/cpc?bhu=CWpXnMGxogFTuYGF1JYCW2zLUa3SvtaoyYB9d
which has the following content (indentation added for readability):
<link rel="stylesheet"
href="/assets/CWpXnMGxogFTuYGF1JYCW2zLUa3SvtaoyYB9d/theme_1pgoz4.css?CID=411298"
type="text/css">
<link rel="dns-prefetch"
href="http://203.0.113.61.d.example.org">
<script>
window.location.replace("http://pharmacy-site.example.org");
where
- the
stylesheet
URL has just a placeholder CSS containing only/*...Empty theme...*/
- the
dns-prefetch
URL leads currently to anNXDOMAIN
- the
script
finally redirects to a site titled Pharmacy online-store, selling Viagra.
The final location is a domain registered to a private person from Russia; high probability for scam.
What potential security flaws could I have been exposed to by simply slicking on an unknown link, and doing nothing else?
This has a huge potential to be harmful in general, but it depends on how your browser reacts and is the exploit targeted against a vulnerability in this particular environment.
This investigation revealed that you could have lost money by ordering Viagra on a (probably fake) pharmacy site, but it could well have been worse, too.