One of my articles has gotten a ton of attention --read: 450K of traffic-- lately including Mozilla. And now they accuse me of spreading misinformation, grasping for the last few straws and Mike Shaver doesn't like me to progress in the security field, because I changed on some viewpoints about the actual perception on vulnerabilities overtime. And I do, of course I change viewpoints on security matters, because each day I learn more about it. I wish they did the same, but I think it stays at wishing because I certainly do think that browsers should go one-way traffic, and not both. Back in the days that Internet Explorer could read all files on your hard-disk it wasn't considered a risk. Today it is, because a browser in my opinion should only be used to browse other servers. Hence, the client and the server.
Right, onto the disclaimer and what I said what was wrongfully interpreted. In my article I never said it was about directory traversals. It was about reconnaissance, a clear information leak. Did I say personal information leak? No I did not. Can it read personal information? probably under the right circumstances, yes but that is highly theoretical. One issue is the XPIinstall.manifest file which can be located through the resource:/// scheme and was left behind by a plugin called XULmaker. It wrote the full path of your computer into that file. If we could obtain it through another vulnerability --like a file-upload issue which are more common than we like to think (where Mozilla never gave me proper credit on, but that is fine) -- we can reach for every file in the Mozilla installation directory and upload all your cookies or personal settings. And the resource:/// scheme does facilitate for this. If it didn't it would be impossible now and in the future. It is how security works. It is stacking vulnerabilities in order to compromise a machine faster and more efficiently.
But look what Percy Cabello at mozillalinks has to say:
"Also, the resource: protocol this vulnerability relies on doesnt allow directory traversal since 220.127.116.11, so its not possible to access files in parent or sibling folders."
Ah ok, but even if I would talk about directory traversal --which I did not-- I can show you that it is possible:
It does traverse one folder below the Firefox directory, and lands inside the Program Files folder. I told about it before, you can't do anything useful with it. But the problem is that it might become an issue in the future or in the right circumstances. It did became an issue when Gerry was able to traverse dirs through extensions which basically used the same principle by encoding the dots.
So I warned them about this before, and it did became an issue over time. What if another flaw was found that could exploit these issues? Or maybe a more clever person than me can abuse it? like Gerry did? That is what I am aiming at. Thus it has been possible for over 4 years to steal all your session data and has only been discovered by Gerry. But what if attackers already knew this? Bang! vulnerable by default! So what I basically talked about is that we can browse the browser, and I certainly do not like that. But hey, that might be the reason I use Opera, which in terms make me more biased. In clear words: it should never be possible to browse my computer remotely. It gives away too much information about my current setup. Just like I talked about here. I guess they now know how it feels and what Microsoft had been put up with all those years. Just stop boasting about being the safest browser because that is a pure lie.
You can read Shavers post and gossips right here: