> The Scalable Vector Graphics format is an open standard for rendering two-dimensional graphics.
It would be nice if we had one of those, but SVG is not it, at least not unless you’re willing to gloss HTML as “an open format for rendering reflowable text”. SVG is a full platform for web applications with fixed-layout graphics and rich animations, essentially Flash with worse development tools.
There have been some attempts to define a subset of SVG that represents a picture, like SVG Tiny, but that feels about as likely to succeed as defining JSON by cutting things out of JavaScript. (I mean, it kind of worked for making EPUB from HTML+CSS... If you disregard all the insane feature variation across e-readers that is.) Meanwhile, other vector graphics formats are either ancient and not very common (CGM, EPS, WMF/EMF) or exotic and very not common (HVIF, IconVG, TinyVG).
(My personal benchmark for an actual vector format would be: does it allow the renderer to avoid knowing the peculiarities of Arabic, Burmese, Devanagari, or Mongolian?)
michaelt · 2h ago
I think some people on the SVG design committee were aiming to replace Flash for things like browser games, and wanted animations and javascript and so on to support that role.
That lead to the weird situation where browsers have two ways of embedding an SVG into a web page - embed in an <img> tag and the javascript won't run, but embed it in an <iframe> and it will (but of course iframe height can't auto-size...)
The javascript also means pretty much no user-generated-content sites allow the upload of SVGs. Wikipedia is the only place I can think of - and even they serve the SVG as a PNG almost everywhere.
kevin_thibedeau · 1h ago
You can also embed in <object>.
kibibu · 1h ago
You can also just throw an SVG element straight into your html
vaylian · 35m ago
xmlns namespaces for the win!
guerrilla · 20m ago
I miss XML. It made so much sense. XSLT was awesome.
All the more reason to block all JS by default with add-ons like NoScript or uBO and manage a whitelist.
It's a bit annoying the first few days, but then the usual sites you frequent will all be whitelisted and all that's left are random sites you come across infrequently.
Santosh83 · 1m ago
This used to be the case many years ago. But these days practically every site pulls in content from several other sites, sometimes dozens. Fine tuning noscript to get such a site to work without obscure breakage will take a long time of trial & error, reloading again & again. Now consider that you've to do this for every one of your regular sites.
Noscript is just too painful for people who want to just browse the web. Its the gentoo of browser extensions. People with massive time & patience can do it yes, but the rest of us are best served by uBlock & standard browser protections.
gruez · 41m ago
>It's a bit annoying the first few days, but then the usual sites you frequent will all be whitelisted and all that's left are random sites you come across infrequently.
How does this work in reality? Do you just whitelist every site you come across if it's broken? What's the security advantage here? Or do you bail if it requires javascript? What about the proliferation of sites that don't really need javascript, but you need to enable it anyways because the site's security provider needs it to verify you're not a bot?
ndriscoll · 36m ago
> Or do you bail if it requires javascript?
It depends, but frequently, yes. e.g. If I were about to read a tech blog, and see it's from someone that can't make a couple paragraphs work without scripting, then that raises the chance that whatever they had to say was not going to be valuable since they evidently don't know the basics.
It's the frontend version of people writing about distributed clusters to handle a load that a single minipc could comfortably handle.
mindslight · 44m ago
Investing in NoScript can actually make pages faster, even if you end up enabling a bunch of javascript for functionality. For example, I remember having to whitelist only about half the resources used by homedepot.com. The rest was just shameless surveillance bloat, continually backhauling gobs of data as you were merely viewing the page. The site loaded and ran quicker without it.
shazbotter · 2m ago
People still have Facebook accounts? I genuinely don't know why anyone does at this point.
If you are a woman, did you know Facebook has been stealing menstruation data from apps and using it to target ads to you?
If you take photos with your smartphone, you know meta has been using them to train their ai? Even if you haven't published them on Facebook?
To say nothing of Facebook's complicity in dividing cultures and fomenting violence and hate...
ndriscoll · 2h ago
> Facebook regularly shuts down accounts that engage in these sorts of abuse.
But does not fix the CSRF vulnerability, apparently.
mathiaspoint · 1h ago
Probably because they need it themselves for data collection.
cheschire · 2h ago
Finally, a reason why porn in incognito mode is actually a safety mechanism.
ta1243 · 1h ago
Running facebook in incognito mode, or at least in a separate container, is also an essential safety mechanism.
Ars article links to Malwarebytes but Ars article is better. The headline is better, it's most interesting that they run code from svg. Ars also adds context how the same hole was also used before to hijack Microsoft accounts and also by the Russians. Whereas Malwarebytes is mostly about pornsite clickjacking to like Facebook posts (and complains about age verification). However it has a bit more technical details too. Read both I guess?
lostmsu · 43m ago
What's the hole? Neither appear to say.
ykonstant · 1h ago
I remember opening one svg that totally wrecked my computer, I had to cold reboot; nothing worked, the system hanged down to the kernel. It was impressive. Never happened again with any other kind of file.
saagarjha · 2h ago
I'm curious how you can click the like button using JavaScript…
55555 · 1h ago
The user has to click on the image, so I think the SVG is embedding the FB like button onto the page and drawing another element on top of it to hide it.
johnisgood · 32m ago
Where is the SVG only?
QAkICoU7IDNkpFu · 2h ago
“The user will have to be logged in on Facebook for this to work, but we know many people keep Facebook open for easy access.”
Well there's your problem right there.
mananaysiempre · 1m ago
Bog-standard CSRF is what that is. It’s essentially the second thing you guard against, right after sanitizing inputs to prevent XSS and SQL injection.
ajross · 1h ago
SVG really is just an awful format. What the market wanted was a clean, easily parseable specification for vector image data based on a solid rendering specification. What it got was an extensible HTML-like scripting language where all the vector stuff was ad hoc and poorly implemented, and where (this is the bit that absolutely drives me up the wall) the actual image data is not stored in the metadata format they chose. You have to parse this entirely different string format if you want to extract the points on your curve or whatever!
lostmsu · 1h ago
This makes no sense. How does SVG click Facebook like button? Is there a vulnerability? The post doesn't say anything like that.
Why are they clicking like buttons instead of stealing money from bank accounts then?
zb3 · 59m ago
Yeah, at first I thought this was about a browser 0day.. but no, so where is the vulnerability? Is Facebook vulnerable?
It would be nice if we had one of those, but SVG is not it, at least not unless you’re willing to gloss HTML as “an open format for rendering reflowable text”. SVG is a full platform for web applications with fixed-layout graphics and rich animations, essentially Flash with worse development tools.
There have been some attempts to define a subset of SVG that represents a picture, like SVG Tiny, but that feels about as likely to succeed as defining JSON by cutting things out of JavaScript. (I mean, it kind of worked for making EPUB from HTML+CSS... If you disregard all the insane feature variation across e-readers that is.) Meanwhile, other vector graphics formats are either ancient and not very common (CGM, EPS, WMF/EMF) or exotic and very not common (HVIF, IconVG, TinyVG).
(My personal benchmark for an actual vector format would be: does it allow the renderer to avoid knowing the peculiarities of Arabic, Burmese, Devanagari, or Mongolian?)
That lead to the weird situation where browsers have two ways of embedding an SVG into a web page - embed in an <img> tag and the javascript won't run, but embed it in an <iframe> and it will (but of course iframe height can't auto-size...)
The javascript also means pretty much no user-generated-content sites allow the upload of SVGs. Wikipedia is the only place I can think of - and even they serve the SVG as a PNG almost everywhere.
It's a bit annoying the first few days, but then the usual sites you frequent will all be whitelisted and all that's left are random sites you come across infrequently.
Noscript is just too painful for people who want to just browse the web. Its the gentoo of browser extensions. People with massive time & patience can do it yes, but the rest of us are best served by uBlock & standard browser protections.
How does this work in reality? Do you just whitelist every site you come across if it's broken? What's the security advantage here? Or do you bail if it requires javascript? What about the proliferation of sites that don't really need javascript, but you need to enable it anyways because the site's security provider needs it to verify you're not a bot?
It depends, but frequently, yes. e.g. If I were about to read a tech blog, and see it's from someone that can't make a couple paragraphs work without scripting, then that raises the chance that whatever they had to say was not going to be valuable since they evidently don't know the basics.
It's the frontend version of people writing about distributed clusters to handle a load that a single minipc could comfortably handle.
If you are a woman, did you know Facebook has been stealing menstruation data from apps and using it to target ads to you?
If you take photos with your smartphone, you know meta has been using them to train their ai? Even if you haven't published them on Facebook?
To say nothing of Facebook's complicity in dividing cultures and fomenting violence and hate...
But does not fix the CSRF vulnerability, apparently.
The linked article just regurtitates the source.
Well there's your problem right there.
Why are they clicking like buttons instead of stealing money from bank accounts then?