Opening HTML files in browsers is a pretty harmless practice. Yet, an old Firefox vulnerability turns it into a security threat. Exploiting this vulnerability can allow an attacker to steal files on the target system simply by opening HTML files in the browser. What’s terrible here is that the bug remains unpatched despite previous reports.
Firefox Vulnerability In Opening HTML Files
Researcher Barak Tawily has pointed out a vulnerability that risks users data security. The vulnerability, upon exploit, can allow an attacker steal files from the device by simply abusing a HTML file.
Describing his findings in a blog post, Tawily elaborated how the flaw allows local file theft by abusing the way the browser opens HTML files. The problem lies with the Same Origin Policy for file:// scheme URIs that Firefox implements. An attacker may trick a user to open a malicious HTML file in the browser and click on a button to execute the exploit. The attacker can send such files to the victim via email. Or, the victim may browse to the malicious website on his own.
Elaborating this scenario, the researcher stated,
The victim thinks he clicks on a button on the malicious HTML, but in fact, he is clicking on the malicious file html inside the iframe’s directory listing (using ClickJacking technique, in order to apply the “context switching bug” which allows me access the directory listing of my containing folder).
The attacker may then gain access to the other files stored in the folder having the malicious HTML file.
The malicious file is able to read any file on it’s containing folder (file:///home/user/), such as SSH private key by simply fetching the URL file:///home/user/.ssh/ida_rsa and stealing any file by 1 more fetch request to the attacker’s malicious website with the files’ content.
The following video shared by the researcher demonstrates the exploit.
Bug Remains Unpatched Despite Being Known
According to the researcher, this isn’t the first time that someone has pointed out such exploit. Mozilla are aware of the potential for exploitation, when Dave Kimberley reported it for the first time. Eerily, the flaw remains unpatched even after 17 years of the first report.
When Tawily reported the bug, he received the following response,
Our implementation of the Same Origin Policy allows every file:// URL to get access to files in the same folder and subfolders.
Consequently, the vulnerability still affects the latest Firefox browser versions (including Firefox 67) across all operating systems. The researcher once again highlighted the matter in the hope that Mozilla pays attention and applies a fix this time around.
Take your time to comment on this article.