17-Year-Old Weakness in Firefox Let HTML File Steal Other Files From Device

Discussion in 'other security issues & news' started by Minimalist, Jul 3, 2019.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,403
    Location:
    Here
    https://thehackernews.com/2019/07/firefox-same-origin-policy-hacking.html
     
  2. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    This is trivial to do, takes like a few lines of code (not counting the social engineering page which obviously has to look sophisticated and real to trick people). So anyway, what's the conclusion, other than why using firefox? The conclusion is, make a new folder when you're downloading html documents. The fetch api https://developer.mozilla.org/en-US/docs/Archive/Misc_top_level/Same-origin_policy_for_file:_URIs can only access the same folder or subfolders, but since this is a brand new folder, there are no subfolders, and the same folder is this brand new folder with only the html file in it, so there's nothing else to read.
     
    Last edited: Jul 3, 2019
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,359
    Location:
    U.S.A. (South)
    Well while it might be a new (cough) POC to the researcher who managed to pick through and dig this one up, obviously it was not that formidable enough for the foulware actors to exercise much time or attention on. But still nice bug catch per a firefox reader.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    Exactly, and always protect important data from being accessed by browsers, you can do this with file/folder protection tools.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.