Except for phishing and scams, downloading an HTML attachment and opening it locally on your browser was never considered as a severe threat until a security researcher today demonstrated a technique that could allow attackers to steal files stored on a victim’s computer.
Barak Tawily, an application security researcher, shared his findings , where he successfully developed a new proof-of-concept attack against the latest version of Firefox by leveraging a 17-year-old known issue in the browser.
The attack takes advantage of the way Firefox implements Same Origin Policy (SOP) for the “file://” scheme URI (Uniform Resource Identifiers), which allows any file in a folder on a system to get access to files in the same folder and subfolders.
Since the Same Origin Policy for the file scheme has not been defined clearly in the RFC by IETF, every browser and software have implemented it differently—some treating all files in a folder as the same origin whereas other treat each file as a different origin.
Tawily said that Firefox is the only major browser that didn’t change its insecure implementation of Same Origin Policy (SOP) for File URI Scheme over time and also supports Fetch API over file protocol.
Demo: Firefox Local Files Theft (Unpatched)
Though the implementation weakness in Firefox has already been discussed on the Internet over and over again in previous years, this is the first time when someone has come up with a complete PoC attack that puts security and privacy of millions of Firefox users at risk.
Video Source YouTube (Barak Tawily): //www.youtube.com/watch?v=XU223hfXUVY
As shown in the video demonstration, Tawily exploited this old-known issue in combination with a clickjacking attack and a “context switching” bug that allowed his exploit code to automatically:
- get the list of all files located in the same folder and subfolders where the malicious HTML has been downloaded by the browser or saved by the victim manually,
- read the content of any specific or all files using Fetch API, and then
- send collected data to a remote server via HTTP requests.
For a successful execution of this attack, attackers are required to trick victims into downloading and opening a malicious HTML file on the Firefox web browser and click on a fake button to trigger the exploit.
Tawily said that all the above-mentioned actions could secretly happen in the background within seconds without the knowledge of victims, as soon as they click the button place carefully on the malicious HTML page.
It should be noted that this technique only allows the malicious HTML file to access other files in the same folder and its subfolders.
In his PoC attack scenario, Tawily shows how an attacker can easily steal secret SSH keys of Linux victims if a user saves downloaded files in the user-directory, which also contains SSH keys in its subfolder.
Firefox is not going to patch it anytime soon
The researcher responsibly reported his new findings to Mozilla, who responded by saying “Our implementation of the Same Origin Policy allows every file:// URL to get access to files in the same folder and subfolders.”
This suggests that the company currently seems to have no plans to fix this issue in its browser anytime soon.
While talking about an alternative approach to fix this issue, Twaily said, “Security-wise I think this should be addressed in RFC side, that should enforce user-agents (browsers) to implement the most secure approach, and don’t allow developers make such mistakes that leave the client exposed to such attacks.”
In 2015, researchers discovered a similar, but remotely executable, vulnerability in the same-origin policy for FireFox that attackers exploited in the wild to steal files stored on Firefox users’ computers when they clicked malicious ads on websites.
Though the newly demonstrated attack requires a little more of social engineering, many Firefox users can still easily fall victim to this as well.