Service receive & sending SMS

Beware Your Browser Messing With Your Files

1759   |     /   Security

Beware Your Browser Messing With Your Files
The File Systems Access API is supposed to make websites more compatible with mobile and desktop apps, but it comes with some risks, as demonstrated at the Black Hat security conference.

Using just a browser and some clever tricks, a researcher presenting at the Black Hat security conference demonstrated how to weaponize a tool intended to make websites more like apps.


Virtual Ukrainian numbers will help you register on suspicious sites where SMS confirmation is required.


Matthew Weeks, a Technology Fellow at Deloitte, focused his work on the File System Access API, which he calls "the latest in a long train of APIs [intended] to make web pages more feature comparative with mobile and desktop applications." He notes that some browsers already support File Systems Access, and more will in the future.

The benefits are obvious. With this tool, websites can provide functionality wherever a person accesses it, without requiring them to install an application. Think online image or audio editors or complex browser games, Weeks says.


The Attacks

Here's the problem: As its name suggests, File Systems Access allows websites to access files on your computer, and Weeks finds that quirks of the API allow for some worrisome behavior.

Using a custom-built, phony social media page, Weeks was able to open and upload every single photo in the folder as well as the folders nested within when a user gave a website access to a folder. It's a minor issue, but it's easy to see how a person could accidentally share all their personal photos.


доступ к папке
Screenshot from Weeks' presentation. By granting access to the folder, Weeks allowed the site to access all its contents.


Demonstrating what Weeks called a "small bug," he showed how File Systems Access could be persuaded into a loop where it created 99 files on the user's machine before stopping. "You can fill up the drive very quickly, potentially as fast as the disk can write."

In the more malicious sphere, Weeks demonstrated how a bogus audio editor website could covertly write a DLL file to a victim's computer. When the victim later goes to open what they think is their audio file in Audacity, the malicious file runs.

Most impressive was what Weeks calls some "sleight of hand." In this scenario, the victim downloads a test script. Weeks showed that the file's full contents could be examined and said it could even be scanned with antivirus without raising alarms. That's because the script isn't malicious—yet. Once the victim runs the script, the browser is able to open the file and write in new, malicious code that's immediately run.


Not So Fast

While worrisome, Weeks stressed that there are security measures in File Systems Access. For one thing, the user is prompted to provide access, so these attacks can't be made fully invisible. The API is also blocked from handling certain file types, and is forbidden from accessing certain sensitive areas of file systems.

Weeks had some suggestions on how to improve File Systems Access. It should block script files, lock files for the entire time the API has access, and prompt users for read-write access more frequently. He also said browsers should provide some visual indication that a tab or window has access to files, similar to the icons that appear when you provide a browser access to a microphone or camera

For everyday folks, the remedy is easier. Whenever you use a site that you've given access to your files, be sure to close the tab and any other windows the site may have created.

Similar news

Mozilla VPN unveils major security boost

Split tunneling is now available in Mozilla VPN on iOS and Android

How to find your missing Apple Watch

Track it down, whether it's under your bed or miles away.

How to free up space on your Apple Watch

With watchOS 8 on the horizon it’ll soon be time to update your Apple Watch – and you might find that there isn’t enough free space to install the update.


This is not only a service for receiving and sending SMS messages to virtual numbers, but also a tutorial on user safety in the modern world, the latest developments in IT, social media security, fresh programs and lessons that simplify our lives. So are other issues encountered by the average user. In simple words, each user will find for themselves something interesting or answers to their questions.

SIMonline © 2018 - 2024

All rights reserved