Security researcher Barak Tawily recently came across a 17-year-old security vulnerability Mozilla Firefox’s latest version. It turns out that the widely popular browser is vulnerable to local files theft attack on any operating system.
Vulnerability in Firefox Allows Local Files Theft
The attack is possible due to improper implementation of Same Origin Policy for file scheme URLs, the researcher said. There’s also a proof-of-concept for the attack. The vulnerability is yet to be patched.
In other words, the vulnerability would allow attackers to steal files stored on the user’s computer. The attack leverages the way the Firefox browser implements Same Origin Policy for the “file://” scheme URI (Uniform Resource Identifiers), which allows any file in a folder on a system to get access to files in the same folder and subfolders.
The researcher shared a complete attack scenario based on this vulnerability:
1. Attacker sends email to victim with attachment file to be downloaded / Victim browse to malicious website and download file
2. The victim opens the HTML malicious file
3. The file loading the containing folder in an iframe (so my file path is file:///home/user/-malicious.html, and the iframe source will be file:///home/user/)
4. The victim thinks he clicks on a button on the malicious HTML, but in fact he is clicking on the malicious file html inside the iframe’s directory listing (using ClickJacking technique, in order to apply the “context switching bug” which allows me access the directory listing of my containing folder)
5. The malicious iframe now have escalated privileges and is be able to read any file on the folder contains the malicious file, (in most cases downloads folder, in my case is file:///home/user/).
6. The malicious file is able to read any file on it’s containing folder (file:///home/user/), such as SSH private key by simply fetching the URL file:///home/user/.ssh/ida_rsa and stealing any file by 1 more fetch request to the attacker’s malicious website with the files’ content.
7. The attacker gains all files in the folder containing the malicious file exploit this vulnerability
The researcher believes that the issue stems from the web origin concept RFC which is not describing a well-defined implementation of SOP for file scheme URLs.
Tawily was curious to see for how long Firefox has been ignoring complaints without doing anything about the “insecure approach”. To his own surprise, he managed to get hold of a bug quite similar to this vulnerability vulnerability (except for the directory listing context switch bug). The similar bug was already reported 17 years ago.
Tawily reported his findings to Mozilla who responded that this was a “duplicate report“, adding that “the specification of the Same Origin Policy is unclear here Our implementation of the Same Origin Policy allows every file:// URL to get access to files in the same folder and subfolders“.