Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The expert also shared details of its PoC and a video PoC of the attack. Tawily explained how an attacker can easily steal secret SSH keys of Linux victims if they save downloaded files in the user-directory that includes SSH keys in its subfolder.
Chrome has a very restrictive file:// security policy: every single file is a different origin. This unfortunately breaks a lot of use cases (e.g. HTML documentation).
We have a security policy where a file can only access things in the same directory or subdirectories. This works fine as long as you don't dump unrelated things in the same directory...
The current file:/// behavior was an intentional choice that at the time was much stricter than the primordial status quo. The world has moved on and webkit/chrome has shown we can get away with strict unique origins now (bug 1500453).
To me it reads that if a Firefox user does several consecutive unwise actions, they might be vulnerable...
Still, the dissemination of information about the issue is appreciated.
That's what I picked up, but according to the article it could happen whithout the user doing anything wrong.
-- An attacker could successfully carry out the attack by tricking victims into downloading and opening a malicious HTML file on the Firefox web browser and into clicking on a fake button to trigger the exploit.
“Tawily told The Hacker News that all the above-mentioned actions could secretly happen in the background within seconds without the knowledge of victims, as soon as they click the button place carefully on the malicious HTML page.” continues The Hacker News
An attacker could successfully carry out the attack by tricking victims into downloading and opening a malicious HTML file on the Firefox web browser and into clicking on a fake button to trigger the exploit.
I would think that the browser is an independent variable in a situation such as this. If a phish is going to take the bait, any hook will do.
I would think that the browser is an independent variable in a situation such as this. If a phish is going to take the bait, any hook will do.
There is no good defense against stupid.
Yes but this “Tawily told The Hacker News that all the above-mentioned actions could secretly happen in the background within seconds without the knowledge of victims, "
From what it sounds like to me "Secretly" means it is not visable to a user.
That's what I picked up, but according to the article it could happen whithout the user doing anything wrong.
-- An attacker could successfully carry out the attack by tricking victims into downloading and opening a malicious HTML file on the Firefox web browser and into clicking on a fake button to trigger the exploit.
“Tawily told The Hacker News that all the above-mentioned actions could secretly happen in the background within seconds without the knowledge of victims, as soon as they click the button place carefully on the malicious HTML page.” continues The Hacker News
"Anything wrong" is a bit ambiguous and up for debate. You could say what they did wrong is to download the malicious HTML page in the first place. But you could also argue they couldn't have known it was malicious, and downloading an HTML page is not wrong.
I was just curious so i tried it. Put any html file in your home directory, and inside it put for example <iframe src=".ssh/known_hosts"></iframe>. Both Firefox and Google Chrome showed my file when I open it in the browser. So it's not only Firefox.
They both deny .. in the path. For this to attack to work, I have to move the file from the Downloads directory to my home directory.
I understand files are used in a lot of cases, like documentation. So denying files and subdirectories would break a lot of things.
But couldn't they deny all files/folders with a . prefix or something?
Points taken about the possibility that the malicious html file might be downloaded "in secret" -- but I'm going to stick with the opinion that putting a downloaded file in your home directory is, in fact, unwise.
Again, we wouln't have known that is unwise without this discussion.
I was just curious so i tried it. Put any html file in your home directory, and inside it put for example <iframe src=".ssh/known_hosts"></iframe>. Both Firefox and Google Chrome showed my file when I open it in the browser. So it's not only Firefox.
I think the problem is not so much about showing the file to you, but allowing JavaScript code to influence the display and/or read the data.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.