Twitter | Search | |
Elliot Alderson Jul 4
WhatsApp attachments are stored in the sdcard unencrypted. Firefox has read sdcard permission. Any app with sdcard permission can steal your WhatsApp attachments. Sorry, this is not a bug, this is by design.
Reply Retweet Like
evariste.gal🌈is Jul 4
Replying to @fs0c131y
I disagree. It is a Firefox feature that it is not in other modern browsers. So, if you try to steal data by opening a received HTML file with Chrome you cannot do it. This is the issue.
Reply Retweet Like
Elliot Alderson Jul 4
Replying to @evaristegal0is
This is not really a question of opinion here. The WhatsApp attachments are very easy to steal by design, this is the fact.
Reply Retweet Like
evariste.gal🌈is
Yep, it is true. I have used WhatsApp as example, but the issue (reported to Mozilla team) is the Firefox same origin policy. If I open the same HTML file with another browser I cannot steal data. The focus of the proof is not WhatsApp, but I agree about your comment.
Reply Retweet Like More
Elliot Alderson Jul 4
Replying to @evaristegal0is
Imo, the explanations in the bug are acceptable. Having the possibility to access content of the sdcard is not really a bug. The sdcard is an insecure place no sensitive information should be stored in it.
Reply Retweet Like
Elliot Alderson Jul 4
Replying to @evaristegal0is
And the fact that you cannot reproduce the same thing with other browsers is not really proof. Mozilla just made a different choice 😀
Reply Retweet Like
Elliot Alderson Jul 4
Replying to @evaristegal0is
Don’t get me wrong. It’s a cool finding but I would consider that as a « good to know » thing 😄 not as a major issue
Reply Retweet Like
evariste.gal🌈is Jul 4
Replying to @fs0c131y
I agree but my criticism is just about the Firefox SOP. In 2019 this SOP is dangerous and the PoC is an example. Then, about the security of sdcard we have the same opinion. Unfortunately WhatsApp saves the documents in this way, not my choice :)
Reply Retweet Like
evariste.gal🌈is Jul 4
Replying to @fs0c131y
I agree :) I have only written "Do not open HTML received via WhatsApp with Firefox", don't panic but it is useful to know it
Reply Retweet Like
Elliot Alderson Jul 4
Replying to @evaristegal0is
Yep, I got your point. Mine is what do you want to steal with this relax SOP? Except sdcard content you will not be able to steal anything else. This is what yep maybe the SOP is not restrictive enough but there is no useful application of it.
Reply Retweet Like
evariste.gal🌈is Jul 4
Replying to @fs0c131y
I think it is not a good if an attacker can easily steal my private files from my sdcard. That's all! Only my opinion :) (to Mozilla team I have written that I wasn't sure if it is a bug or a feature, maybe it is a dangerous feature imo)
Reply Retweet Like
Elliot Alderson Jul 4
Replying to @evaristegal0is
The files in the sdcard should not be consider as private. You can check on your phone, a lot of apps have the sdcard read permission. Moreover, in order to get your files the attacker will need to know the file names and an user interaction is required
Reply Retweet Like
Mark Barnes Jul 4
You can do the same thing in chrome using the content: scheme. For example content://com.android.externalstorage.documents/document/primary%3AWhatsApp%2FMedia and so on
Reply Retweet Like
evariste.gal🌈is Jul 4
Replying to @Incanus @fs0c131y
But cross origin denies XMLHttpRequest (if I am right)
Reply Retweet Like
Mark Barnes Jul 4
Reply Retweet Like