Open-source apps have long been hailed for being more secure than proprietary software, for the reason that the availability of the source code means the higher chances that a bug can be seen easier. But this is not consistent, there are times the feature that has a bug for years is not a commonly used feature, hence, the chance of discovering it and the developer being motivated enough to finally fixing the bug in the process. This happened to Firefox recently when Mozilla continues to deny issuing a patch that should fixes a bug that was reported to them 17-year ago.
The bug has something to do with a flaw in Firefox’s implementation of the Same Origin Policy, which the local files of the computer hosting the browser can be read/accessed by a 3rd-party. Barak Tawily, published his blog detailing the proof-of-concept of his discovery in a GitHub page. He provided the simple step-by-step process how the flaw can be taken advantage of:
- A Firefox user opened a malicious .HTML attachment. It can be sent through normal channels like email or instant messaging service.
- Once opened, the HTML file will point then make the user believe that “he clicks on a button on the malicious HTML, but in fact he is clicking on the malicious file html inside the iframe’s directory listing,” explained Tawily (also known as click jacking method).
- The trojanized iframe inherits the read privileges of the user to the files in the local computer where the downloaded .html file got stored. This includes even the SSH private key usually residing in the /home/~/.ssh directory. The hacker responsible for sending the malicious .html file can then remotely connect to the machine with a read-only privilege.
“Security-wise I think this should be addressed on RFC side, that should enforce user-agents (browsers) to implement the most secure approach, and don’t allow developers do such mistakes that leaves the client be exposed to such attacks,” added Tawily. He even went ahead and published a Youtube video where a complete visual demonstration of the bug can be seen.
Mozilla has not issued any official statement in response to the accusation of Tawily, that the non-profit company voluntarily chose not to deal with the bug that they were made aware of 17 years ago. A simple URI scheme embedded in an HTML file should not be able to read local files. But Mozilla confirmed that they do not see it as a bug, let alone that it is a privacy-related problem. “Our implementation of the Same Origin Policy allows every file:// URL to get access to files in the same folder and subfolders,” emphasized a Mozilla representative.
“I was curious to see how long Firefox ignores users complains and implemented this insecure approach, and it looks like forever. I managed to get a bug reported on almost the same vulnerability (except for the directory listing context switch bug) was already reported 17 years ago,” concluded Tawily. At the time of this writing, Mozilla has refused to issue a patch, not even a script that can disable the file://URL feature on all supported version of Firefox.