Closed Bug 1816132 Opened 1 year ago Closed 1 year ago

Absence of Launchable File Warning for .webloc Files in Firefox on MacOS

Categories

(Firefox :: File Handling, defect)

Product:
Firefox
Component:
File Handling
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: fazim.pentester, Unassigned)

References

Details

(Keywords: reporter-external, Whiteboard: [keep hidden while 1786188 is][reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

test.webloc
256 bytes, application/x-apple-systemprofiler+xml
Details
Attached file test.webloc

This vulnerability is similar to https://bugzilla.mozilla.org/show_bug.cgi?id=1786188. Recently, the Firefox on MacOS addressed the issue where the warning for executable files was not displayed upon downloading .afploc and .ftploc files. I have discovered that the launchable file warning is also not present for .webloc files, thus allowing them to be launched directly without any warning post-download.

Flags: sec-bounty?
Component: Security → File Handling

Opening google.com (which is what the attached file does) or any other public website isn't particularly scary - an attacker could just navigate there directly. Can webloc files actually open local apps? That's why the other files were blocked from working in this way.

What if Safari was vulnerable and an attacker wanted to launch an attack on that browser using this method.

I tried to launch local apps myself, but I couldn't. I don't know if there's a way, but I still reported this because it could launch URLs in different browsers, such as Apple Safari as the default from a Firefox browser.

What if Safari was vulnerable...

Then Safari should fix it, because all the people who user Safari as their default browser could be sent to that malicious web address at any time while they're browsing the web. And users should make Firefox their default browser.

This behavior is as intended.

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → INVALID
See Also: → CVE-2022-46875
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [keep hidden while 1786188 is][reporter-external] [client-bounty-form] [verif?]

(In reply to :Gijs (he/him) from comment #1)

Opening google.com (which is what the attached file does) or any other public website isn't particularly scary - an attacker could just navigate there directly. Can webloc files actually open local apps? That's why the other files were blocked from working in this way.

Technically speaking, Safari is a local app in macOS.

(In reply to Daniel Veditz [:dveditz] from comment #4)

What if Safari was vulnerable...

Then Safari should fix it, because all the people who user Safari as their default browser could be sent to that malicious web address at any time while they're browsing the web. And users should make Firefox their default browser.

This behavior is as intended.

Firefox, on the other hand, does not natively support the '.webloc' file format on MacOS. As a result, '.webloc' files are always opened on Safari by default.

I believe this is a similar issue, but I trust in your expertise and will leave the decision up to your discretion. Thank you.

The intent of the .webloc file is to be as safe as linking to a URL inside the (safari) browser. On a Mac we have to trust that Apple is maintaining those guarantees. All complex software will have security bugs, but Apple does as responsible a job as any.

Group: firefox-core-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: