Absence of Launchable File Warning for .webloc Files in Firefox on MacOS
Categories
(Firefox :: File Handling, defect)
Tracking
()
People
(Reporter: fazim.pentester, Unassigned)
References
Details
(Keywords: reporter-external, Whiteboard: [keep hidden while 1786188 is][reporter-external] [client-bounty-form] [verif?])
Attachments
(1 file)
256 bytes,
application/x-apple-systemprofiler+xml
|
Details |
This vulnerability is similar to https://bugzilla.mozilla.org/show_bug.cgi?id=1786188. Recently, the Firefox on MacOS addressed the issue where the warning for executable files was not displayed upon downloading .afploc and .ftploc files. I have discovered that the launchable file warning is also not present for .webloc files, thus allowing them to be launched directly without any warning post-download.
Updated•1 year ago
|
Comment 1•1 year ago
|
||
Opening google.com (which is what the attached file does) or any other public website isn't particularly scary - an attacker could just navigate there directly. Can webloc files actually open local apps? That's why the other files were blocked from working in this way.
Reporter | ||
Comment 2•1 year ago
|
||
What if Safari was vulnerable and an attacker wanted to launch an attack on that browser using this method.
Reporter | ||
Comment 3•1 year ago
|
||
I tried to launch local apps myself, but I couldn't. I don't know if there's a way, but I still reported this because it could launch URLs in different browsers, such as Apple Safari as the default from a Firefox browser.
Comment 4•1 year ago
|
||
What if Safari was vulnerable...
Then Safari should fix it, because all the people who user Safari as their default browser could be sent to that malicious web address at any time while they're browsing the web. And users should make Firefox their default browser.
This behavior is as intended.
Reporter | ||
Comment 5•1 year ago
|
||
(In reply to :Gijs (he/him) from comment #1)
Opening google.com (which is what the attached file does) or any other public website isn't particularly scary - an attacker could just navigate there directly. Can webloc files actually open local apps? That's why the other files were blocked from working in this way.
Technically speaking, Safari is a local app in macOS.
(In reply to Daniel Veditz [:dveditz] from comment #4)
What if Safari was vulnerable...
Then Safari should fix it, because all the people who user Safari as their default browser could be sent to that malicious web address at any time while they're browsing the web. And users should make Firefox their default browser.
This behavior is as intended.
Firefox, on the other hand, does not natively support the '.webloc' file format on MacOS. As a result, '.webloc' files are always opened on Safari by default.
Reporter | ||
Comment 6•1 year ago
|
||
I believe this is a similar issue, but I trust in your expertise and will leave the decision up to your discretion. Thank you.
Comment 7•1 year ago
|
||
The intent of the .webloc file is to be as safe as linking to a URL inside the (safari) browser. On a Mac we have to trust that Apple is maintaining those guarantees. All complex software will have security bugs, but Apple does as responsible a job as any.
Updated•28 days ago
|
Description
•