Home Cyber Security News Old Unpatched Firefox Vulnerability Allows For Stealing of Files Via a Malicious HTML File

Old Unpatched Firefox Vulnerability Allows For Stealing of Files Via a Malicious HTML File

by Abeerah Hashim
old Firefox vulnerability

Opening HTML files in browsers is a pretty harmless practice. Yet, an old Firefox vulnerability turns it into a security threat. Exploiting this vulnerability can allow an attacker to steal files on the target system simply by opening HTML files in the browser. What’s terrible here is that the bug remains unpatched despite previous reports.

Firefox Vulnerability In Opening HTML Files

Researcher Barak Tawily has pointed out a vulnerability that risks users data security. The vulnerability, upon exploit, can allow an attacker steal files from the device by simply abusing a HTML file.

Describing his findings in a blog post, Tawily elaborated how the flaw allows local file theft by abusing the way the browser opens HTML files. The problem lies with the Same Origin Policy for file:// scheme URIs that Firefox implements. An attacker may trick a user to open a malicious HTML file in the browser and click on a button to execute the exploit. The attacker can send such files to the victim via email. Or, the victim may browse to the malicious website on his own.

Elaborating this scenario, the researcher stated,

The victim thinks he clicks on a button on the malicious HTML, but in fact, he is clicking on the malicious file html inside the iframe’s directory listing (using ClickJacking technique, in order to apply the “context switching bug” which allows me access the directory listing of my containing folder).

The attacker may then gain access to the other files stored in the folder having the malicious HTML file.

The malicious file is able to read any file on it’s containing folder (file:///home/user/), such as SSH private key by simply fetching the URL file:///home/user/.ssh/ida_rsa and stealing any file by 1 more fetch request to the attacker’s malicious website with the files’ content.

The following video shared by the researcher demonstrates the exploit.

Bug Remains Unpatched Despite Being Known

According to the researcher, this isn’t the first time that someone has pointed out such exploit. Mozilla are aware of the potential for exploitation, when Dave Kimberley reported it for the first time. Eerily, the flaw remains unpatched even after 17 years of the first report.

When Tawily reported the bug, he received the following response,

Our implementation of the Same Origin Policy allows every file:// URL to get access to files in the same folder and subfolders.

Consequently, the vulnerability still affects the latest Firefox browser versions (including Firefox 67) across all operating systems. The researcher once again highlighted the matter in the hope that Mozilla pays attention and applies a  fix this time around.

Take your time to comment on this article.

You may also like

Do NOT follow this link or you will be banned from the site!

Privacy Preference Center


The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]


DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.



The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid