Closed Bug 1455644 Opened 6 years ago Closed 5 years ago

local file information leak on Mac using .DS_Store file


(Core :: DOM: File, defect)

61 Branch
Not set





(Reporter: llamakko, Unassigned)


(Keywords: csectype-disclosure, privacy, sec-moderate)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

Steps to reproduce:

# Prior knowledge
When opening a local HTML file in Firefox, it's possible to obtain files under the same directory.

## e.g.
### Directory structure
|-- parent
|   |-- child
|   |   `-- child.txt
|   |-- current.txt
|   `-- test.html
`-- parent.txt

### test.html
let files = ['current.txt', '../parent.txt', 'child/child.txt'];

for (let file of files) {
  let url = new URL(file, location.href).href;
  let xhr = new XMLHttpRequest();
  xhr.addEventListener('load', () => {
    console.log('OK: ' + file);
  xhr.addEventListener('error', () => {
    console.log('NG: ' + file);
  });'GET', url);
  xhr.responseType = 'text';

### Result

OK: current.txt
NG: ../parent.txt
OK: child/child.txt

# Required

Firefox must be set as the default browser for Mac.

# 1.
Please access the following page.

# 2.
A dialog will be displayed asking if you want to open a file, so just click on the "OK".

Actual results:

A list of files and directories in the download directory is displayed.

This is result of parsing .DS_Store file.

An attacker can use this list to acquire the contents of an arbitrary file via XHR and so forth.

Expected results:

I think that it would be better to reject cross-origin request of file: URI scheme.

In Google Chrome and Safari, this request is denied.
Flags: needinfo?(dveditz)
Group: firefox-core-security → core-security
Component: Untriaged → DOM: File
Product: Firefox → Core
Group: core-security → dom-core-security
Flags: needinfo?(dveditz)

I updated the PoC located at .
In the past, parsing of .DS_Store was done through an external server, but now it can to parse .DS_Store with JavaScript (to use local only).
I think it will make the attack even easier.

I am sorry that my English is so bad.
If you have any questions or something you don't understand, just let me know anytime.

Did we fix this in bug 1558299?

Flags: needinfo?(amarchesini)

Right. Let me close it as dup.

Closed: 5 years ago
Flags: needinfo?(amarchesini)
Resolution: --- → DUPLICATE
Flags: sec-bounty-
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.