Old Unpatched Firefox Vulnerability Allows For Stealing of Files Via a Malicious HTML File

  • 16

Opening HTML files in browsers is a pretty harmless practice. Yet, an old Firefox vulnerability turns it into a security threat. Exploiting this vulnerability can allow an attacker to steal files on the target system simply by opening HTML files in the browser. What’s terrible here is that the bug remains unpatched despite previous reports.

Firefox Vulnerability In Opening HTML Files

Researcher Barak Tawily has pointed out a vulnerability that risks users data security. The vulnerability, upon exploit, can allow an attacker steal files from the device by simply abusing a HTML file.

Describing his findings in a blog post, Tawily elaborated how the flaw allows local file theft by abusing the way the browser opens HTML files. The problem lies with the Same Origin Policy for file:// scheme URIs that Firefox implements. An attacker may trick a user to open a malicious HTML file in the browser and click on a button to execute the exploit. The attacker can send such files to the victim via email. Or, the victim may browse to the malicious website on his own.

Elaborating this scenario, the researcher stated,

The victim thinks he clicks on a button on the malicious HTML, but in fact, he is clicking on the malicious file html inside the iframe’s directory listing (using ClickJacking technique, in order to apply the “context switching bug” which allows me access the directory listing of my containing folder).

The attacker may then gain access to the other files stored in the folder having the malicious HTML file.

The malicious file is able to read any file on it’s containing folder (file:///home/user/), such as SSH private key by simply fetching the URL file:///home/user/.ssh/ida_rsa and stealing any file by 1 more fetch request to the attacker’s malicious website with the files’ content.

The following video shared by the researcher demonstrates the exploit.

Bug Remains Unpatched Despite Being Known

According to the researcher, this isn’t the first time that someone has pointed out such exploit. Mozilla are aware of the potential for exploitation, when Dave Kimberley reported it for the first time. Eerily, the flaw remains unpatched even after 17 years of the first report.

When Tawily reported the bug, he received the following response,

Our implementation of the Same Origin Policy allows every file:// URL to get access to files in the same folder and subfolders.

Consequently, the vulnerability still affects the latest Firefox browser versions (including Firefox 67) across all operating systems. The researcher once again highlighted the matter in the hope that Mozilla pays attention and applies a  fix this time around.

Take your time to comment on this article.


Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!