1814701 - Possible to download dangerous files .url/.scf/.lnk/.local using WebExtensions

Status: RESOLVED DUPLICATE of bug 1810793

(WebExtensions :: General, defect)

Description

[Shaheen Fazim]

Attachment: WebExtension.rar

Firefox has implemented a security measure aimed at protecting its users by replacing the download of malicious shortcut extensions, such as .url, .lnk, .scf, .local, and others, with the ".download" extension. However, it has been discovered that attackers can utilize WebExtensions to host and download such files.

A similar issue has been previously reported by me in Mozilla's bug tracking system (https://bugzilla.mozilla.org/show_bug.cgi?id=1810143) and has recently been addressed in the latest beta version of Firefox (110.0).

After conducting thorough testing on the latest version of Firefox, it has been determined that all dangerous extensions can still be downloaded via WebExtensions, indicating a lack of a filter to prevent this vulnerability on Webextention side. This vulnerability is of a more severe nature, given the ability of not only .url extensions, but also .scf, .lnk, and .local extensions to be downloaded as well.

I have provided a RAR file containing th WebExtension which can be directly extracted and loaded into the about:debugging#/runtime/this-firefox for testing.

Comment 2

[Rob Wu [:robwu]]

The ability to choose a file name is a feature. Extensions can currently download to an arbitrary file name or directory within the (user-configured) Downloads.

Being stricter on the file names or even changing their extension may not be backwards-compatible, but if there is a good reason to, we could consider that.

For comparison, I checked Chrome's behavior.
In the far past (e.g. Chrome 40), it prompted about dangerous files, to either keep or discard it (without creating the file in the destination).
These days, Chrome appears to change the file extension. E.g. if foo.sh is passed, foo.txt is created instead.