this post was submitted on 14 Sep 2024
1638 points (99.0% liked)
Technology
59414 readers
3075 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Thats why on Linux you need to run the sudo command and type the root password (or user password) to install something. I get this isn't Linux but its a serious security vulnerability that someone could run a super user level command by clicking yes on a confirmation box that pops up so often that nobody thinks twice.
The goal is not always to "take control" of the whole system. A cryptolocker that makes all your files unreadable will happily run in user space.
Also, you're forgetting that windows also have UAC, and that people will happily type the admin password of their device when asked to, because they've been conditioned to not care by badly made stuff. And, while win+r is unlikely to work in most Linux DE I know about, triggering a visual prompt that ask for your password is also a thing.
There is not much difference between common Linux distro and windows as far as seizing user files with malware is concerned, aside from the fact that no website will care to try telling you "press alt+space" instead of "win+r".
You don't need root access to steal all of the data that your user account has access to.
If Linux was more popular, you would definitely see a Linux variant of this doing the exact same thing.
The only issue I see with targeting Linux is the sheer variety of Desktop setups. Finding one keyboard shortcut and payload that will work on even just the majority of distros would be a challenge.
(Citation needed)
But something like this can still erase everything stored in your home folder or launch further exploits to gain root or something.
Its a lot harder and can do significantly less damage if it doesnt have root privileges, its like how putting a lock on the door to your house wont stop thieves but its better then not having one.
Bruh, let's say an attacker deleted all of my important documents, say book drafts, and assume I don't have a backup.
Now my progress has been set back six months and the publisher is angry.
Would I care if they deleted my system files or not?
Or, session cookies. They don't need special privilege to access, and if you grab all of someone's cookies, you can probably get some valid session cookies for logged in accounts just by checking for some common domains in one/by keyword.
From there, it would be trivial to get into email, social media, and other accounts to do other things with.
And that, kids, is why you should never click on random links
The behavior is configurable just like it is on linux, UAC can be set to require a password every time.
But I think its not set this way by default because many users don't remember their passwords, lol. You think I'm kidding, you should meet my family...
Also, scripts can do plenty without elevation, on linux or Windows.
It should be default, its a good security practice and not every app needs super user permissions.