Closed Bug 1499461 Opened 7 years ago Closed 7 years ago

A Flaw That Leads to Stealing Local Files in a Android Phone

Categories

(Firefox for Android Graveyard :: General, defect)

Product:
Firefox for Android Graveyard
Component:
General
Version:
Firefox 62
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1049043

People

(Reporter: aniltom555, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Steps to reproduce: Steps to Reproduce 1st Step : Create html page with following code <html> <body> <iframe src="file:///storage/emulated/0/file.txt" frameborder="0" height="500" width="95%"></iframe> </body> </html> 2nd Step : Send this file to Vitim email and open it Firefox Actual results: After open the mail from attacker the the file in the victim's phone will can show in the desktop. During tests I can to steal data from local computers. In A android Phone the basic file storage path is " file:///storage/emulated/0/ " so attacker can try to any Android Firefox user. Expected results: Normally when we enter file:///storage/emulated/0/ it should not give the internal files of the phone memory. And in this case it gives the user values and it can also exploit to steal the data and it can send to remote user by modifying the HTML code PoC Video Links : https://drive.google.com/file/d/1ZQNPVMWNkZ4j06jlYci0wefpHL2Oy2Ro/view?usp=drivesdk https://drive.google.com/file/d/1txav0n1aj8Zrq91bbwdKEaWZpaHnw9JF/view?usp=drivesdk
Summary: A Flaw Lets Attackers can Steal Local Files → A Flaw That Leads to Stealing Local Files in a Android Phone
Thanks for the report. Can you elaborate a little more about your steps to reproduce? I assume you mean send to the native android email client (not a webmail client like fastmail, gmail, hotmail etc). I also assume that you open the email attachment in firefox. I presume what is happening here is that the attachment is stored on the file system, at a url similar to "file:///storage/emulated/0/ATTACHMENTNAME.HTML". Actually I can see that from your video that this is case. From a same-origin policy standpoint, this is normal and allowed (at least currently). Now all of that said, if Android puts all of its files into one directory, this might be something we want to prohibit. But aside from moving to a more strict same origin policy for file: uris, the only thing I can think that we could do in the short term is prohibit file: URIs entirely on Android (which would break the use case). I'm not an Android user, but does anyone else know what the situation is for other browsers (android/chrome etc)? Given the user interaction required here I'd rate this as a low risk (assuming that this is basically equivalent to the same on desktop with the downloads folder) Long term the solution is aligning file: uri behavior ie https://github.com/whatwg/html/issues/3099
Good Morning Mozilla Security Team, 1st in Android all the files was in the one directory and its path is " file:///storage/emulated/0/ " and so the attacker can easily create the code and get access the victim's file Then if You check with another web browser like google chrome and all it will denied the access for " file:///storage/emulated/0/ " this directory. The PoC video Link : https://drive.google.com/file/d/1a3Lf-BUtTiR_dM1xMJSapCoFQleQukH9/view?usp=drivesdk
/storage/emulated/0/ is a world readable part of the Android operating system. Secure data should not be stored in it. Firefox does not store any critical data in it.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Keywords: sec-low
Resolution: --- → DUPLICATE
(In reply to Kevin Brosnan [:kbrosnan] from comment #4) > /storage/emulated/0/ is a world readable part of the Android operating > system. Secure data should not be stored in it. Firefox does not store any > critical data in it. Hello Team as you said in the previous case https://bugzilla.mozilla.org/show_bug.cgi?id=1049043 its all about the " file:/// " and it was blocked but am telling about the " file:///storage/emulated/0/ " and it will same for all the android users and a attacker can remotely access the files of the victim. That is the reason all other browsers are blocking the permission. You said that there is no important files in " file:///storage/emulated/0/ " it is the main path and all the users who's phone have a SD Card every file will be stored in this file path, So it should not display to the public
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.