Using just a browser and some clever tricks, a researcher presenting at the Black Hat security conference demonstrated how to weaponize a tool intended to make websites more like apps.
Virtual Ukrainian numbers https://simonline.su/en will help you register on suspicious sites where SMS confirmation is required.
Matthew Weeks, a Technology Fellow at Deloitte, focused his work on the File System Access API, which he calls "the latest in a long train of APIs [intended] to make web pages more feature comparative with mobile and desktop applications." He notes that some browsers already support File Systems Access, and more will in the future.
The benefits are obvious. With this tool, websites can provide functionality wherever a person accesses it, without requiring them to install an application. Think online image or audio editors or complex browser games, Weeks says.
Here's the problem: As its name suggests, File Systems Access allows websites to access files on your computer, and Weeks finds that quirks of the API allow for some worrisome behavior.
Using a custom-built, phony social media page, Weeks was able to open and upload every single photo in the folder as well as the folders nested within when a user gave a website access to a folder. It's a minor issue, but it's easy to see how a person could accidentally share all their personal photos.
Screenshot from Weeks' presentation. By granting access to the folder, Weeks allowed the site to access all its contents.
Demonstrating what Weeks called a "small bug," he showed how File Systems Access could be persuaded into a loop where it created 99 files on the user's machine before stopping. "You can fill up the drive very quickly, potentially as fast as the disk can write."
In the more malicious sphere, Weeks demonstrated how a bogus audio editor website could covertly write a DLL file to a victim's computer. When the victim later goes to open what they think is their audio file in Audacity, the malicious file runs.
Most impressive was what Weeks calls some "sleight of hand." In this scenario, the victim downloads a test script. Weeks showed that the file's full contents could be examined and said it could even be scanned with antivirus without raising alarms. That's because the script isn't malicious—yet. Once the victim runs the script, the browser is able to open the file and write in new, malicious code that's immediately run.
Not So Fast
While worrisome, Weeks stressed that there are security measures in File Systems Access. For one thing, the user is prompted to provide access, so these attacks can't be made fully invisible. The API is also blocked from handling certain file types, and is forbidden from accessing certain sensitive areas of file systems.
Weeks had some suggestions on how to improve File Systems Access. It should block script files, lock files for the entire time the API has access, and prompt users for read-write access more frequently. He also said browsers should provide some visual indication that a tab or window has access to files, similar to the icons that appear when you provide a browser access to a microphone or camera
For everyday folks, the remedy is easier. Whenever you use a site that you've given access to your files, be sure to close the tab and any other windows the site may have created.