But now the times are different. It's not that easy to exploit current browsers, they get patched (relatively) quickly. Attackers cannot easily access your files using browsers vulnerabilities, so they turn to the weakest link - users . In this post we'll try to explore what current browsers can do with your files.
Your file, pleaseHow can a website access user's files? Traditionally, user has to upload the file. Users commonly share photos, videos upload their files for online conversion tools etc. You could (theoretically) be tricked into uploading a sensitive file into a malicious website (" please submit your private key for checking it's strength"), but, seriously, who falls for that?
Downloaded Files/nothing here/move along/boring family photos/1/b00bs.jpg when working inside a browser, so it's not a big deal, right?
Wrong. It's 2011, web applications need new features, browsers are hurrying to implement them, sometimes security is an afterthought.
But first, a gift
and claim your gift :)
Now back to me
File server inside your browser
- a phishing site with "hacking tricks" bait
- transparent input type=file directory over the fake download button
- launching another window to perform real work (to survive closing initial window by the user)
- the new window sends the file list from the chosen directory to the server
- additionally, it uploads one sample image, if it finds one in your directory
- .. and polls the server repeatedly for further commands
- server control panel gets the list of connected clients and their files
- server operator can choose the files to download
- requests for new files reach the clients, and they send the files back
Your browser has now become a file server, serving files from your chosen directory. More features follow!
- cross domain
- easily served through XSS vulnerability
- server/client could be automated to e.g. send all Excel files at once.
- and, it's HTML5 compatible
Brave new world?
- directory upload,
- offline storage,
- drag & drop support
- extensive styling
- audio & video support
they're getting closer to desktop applications each year. Granted, they all run in a browser "sandbox" with its security policies.
However, users are not aware of what current browser can do, so they can be tricked into running the malicious app. And, with XSS being so popular, malicious app may be pretty much every site on the Internet.
Browser vendors try to educate users and prevent them from choosing unsafe settings (Geolocation bar is an example). Shouldn't similar 'warning' be displayed when using input type=file directory ? After all, it's only one click away and the risks of sharing a whole directory are huge. So, WebKit, what do you think?