file theft vulnerability hidden in firefox for 17 years?

Posted by fierce at 2020-04-08

As long as an attacker opens a special HTML file with Firefox, the attacker can steal sensitive files stored on the victim's computer. Recently, Barak tawily, a security expert, put forward the high-risk vulnerability hidden in Firefox for 17 years. He also released the details of the vulnerability in his blog post and proved that even the latest Firefox browser has this problem.

According to the Hacker News, Barak tawily, a security researcher, shared with them a vulnerability that had been hidden in Firefox for 17 years and had successfully developed POC for the latest version of Firefox.

The security expert found this vulnerability when analyzing the same origin policy in Firefox.

“最近,我在对同源策略进行研究时,突然发现,由于同源策略中关于文件scheme URIs的方面有缺陷,即使是最新版本的firefox(目前为67),也存在本地文件盗窃漏洞(在任何操作系统上都存在)。现在让我们研究一下POC的细节,看看这到底是怎么回事。”

According to tawily, Firefox hasn't tried to fix the file URI scheme bug in the same origin strategy (SOP) for many years.

Tawily also shared a video of his POC attack. He said that if the victim saves the attacker's file to a directory containing the SSH private key file, the attacker can easily steal the victim's SSH private key on the Linux system.


The attack process is as follows:

1. The attacker first sends a special email to the victim, which contains the attachment to be downloaded or the victim browses the malicious website and downloads the file.

2. The victim opens a malicious HTML file.

3. Iframe in HTML file will try to load the file in the folder. For example, if the path to a malicious file is


So, the data source path of iframe is


4. Once the victim clicks a button on the malicious HTML, in fact, he clicks the malicious HTML file in the directory list of iframe (using click hijacking technology, using the "context switching bug" to let the malicious HTML access the folder).

5. At this time, the malicious iframe will have high permission to read any file in the folder where the malicious file is located (in most cases, the download folder is file: / / / home / user /).


6. Therefore, the malicious HTML file can finally read any file in file: / / / home / user /. For example, an attacker can read the SSH private key in file: / / / home / user /. SSH / ida_rsa, and then send a request containing the contents of the private key to the attacker's server.

file:///home/user/ file:///home/user/.ssh/ida_rsa

7. The above attacks can be completed as long as the victim opens a malicious HTML file with Firefox browser and then clicks a button.


Although tawily reported the vulnerability to Mozilla, Mozilla did not seem to consider it a significant vulnerability.

"This is our same origin policy, which allows each file: / / url to access all files in the same folder and its subfolders.".

file://url 本文由白帽汇整理并翻译,不代表白帽汇任何观点和立场 来源: