An application security researcher recently found out that downloading an HTML attachment could allow hackers to steal files stored on a victim’s computer.
The researcher, Barak Tawily told The Hacker News that he successfully developed a new proof-of-concept attack against Firefox by using an old issue with the browser which is still present even in its latest version.
By taking advantage of the way Firefox uses Same Origin Policy (SOP) for the “file://” scheme URI (Uniform Resource Identifiers), any folder on a system can get access to files in the same folder and subfolders. Now since this Same Origin Policy for the scheme has not been defined clearly in the RFC by IETF, some browsers treat all files in a folder as the same origin while others treat the file with a different origin.
Tawily said that Firefox is the only browser that did not change the insecure implementation of SOP for file URI Scheme. The browser also supports Fetch API over file protocol.
Through a video demonstration, Tawily was able to show for the first time a complete PoC attack that threatens the security and privacy of Firefox users. Tawily exploited the said known Firefox issue and combined it with a clickjacking attack and a “context switching” bug.
This allowed his exploit code to get the list of all files located in the same folder and subfolders where the malicious HTML has been downloaded by the browser or saved by the victim manually, read the content of any specific or all files using Fetch API and send collected data to a remote server via HTTP requests.
For this attack to be successfully executed though, the attackers need to fool Firefox users to download and open a malicious HTML file on the browser. Additionally, victims would also have to click on a fake button to start the exploit. All these actions could happen secretly in the background within seconds and without the knowledge of the victims.
Although the attack requires a bit of social engineering, any Firefox user can still be a victim. Unfortunately, when Tawily reported his findings to Mozilla, the company seems to have no plans of fixing the issue, saying just “Our implementation of the Same Origin Policy allows every file:// URL to get access to files in the same folder and subfolders.”