It's possible to open links pointing to
file:/// origin from web pages using "Open link in a new tab" in context menu.
https://hackerone.com/bugs?report_id=369185 shows unsafe
ssh://protocol handling, which leads to information leak using ssh(OS username and etc.). The vulnerability is highly available, so it's possible to leverage it.
As of, we could get username, it's easy to predict path of the downloaded file:
When user initiates ssh session through browser, it's equal to running
ssh [email protected]. So the host which receives connection request knows user's OS username.
download attribute of the link. That means, it's under the attacker's control.
OS Release 17.6.0
Update Channel Release
OS Architecture x64
OS Platform macOS
Brave Sync v1.4.2
OS: macOS 10.13.5 17F77 x86_64
I could provide a PoC with "ssh step", if it could increase a bounty. Currently, OS username is hardcoded in
exploit.html. Insert your OS username to run the exploit. (e.g. using devtools or locally)
ssh://- user agrees.
file-load.html. Downloading happens.
Navigation from web pages to
file:/// and executing downloaded (from the web) files on local filesystem is definitely a vulnerability, which additionally opens a wider attack surface for an attacker.
Bypassing SOP on
file:///origin could lead to a full-chain exploit 😈.