Closed Bug 1443762 Opened 7 years ago Closed 7 years ago

Read all local files using minimal user interaction and gesture laundering

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
56 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1338637

People

(Reporter: amanmahendra00, Unassigned)

Details

Attachments

(1 file)

PoC-Read-all-Files.html
1.23 KB, text/html
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36 Steps to reproduce: If you look at the PoC, you will notice I ask the user to hold down the Enter button. Using some simple javascript I am then able to trick the user into giving me access to all of his/her files on local disk. Having the user to hold down the enter key for literally no more than 5 seconds is enough to read their entire computer. I dont think this is a lot to ask given the severity. There are multiple issues with the folder upload feature on mozilla: - The file dialogue always defaults to C: - The file dialogue can be triggered without user clicking anything - Once the dialogue opens, all a user needs to do is press enter with no other things needed. This is different with the normal file uploader where you have to select something first. - Most importantly. The 'webkitdirectory' feature actually crawls through all the files, irrespective of the 'accept' attribute value. In the PoC here I set accept=plain/* and I end up reading everything including images and binaries. This is extremely dangerous for mozilla users and just to give you proof this is a bug, If user allow opening pop up for any site. Actual results: Using a hidden input[type=file] element, in conjuncture with minimal user interaction I am able to read _ALL THE FILES IN A VICTIMS LOCAL DISK_ Please refer to the PoC for a live example. Expected results: I would suggest not always defaulting to C:/ but rather default to something like mycomputer and of course do not allow crawling of all the folders within a certain folder.
It's pretty disingenuous to basically copy an issue that was publicized by someone else without due credit in the bug comments. But also, the original report by @qab linked to all the bugs in question so I don't understand why you thought it was worth reporting a duplicate. Anyway, this is a clear-cut dupe, all the way into the testcase and issue description.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: