/tech/ - Technology★

Locally opened files have different rules than websites that you load, other websites can't do that.

>>1033098

Ok, good. Thats a relief.

>Should I be worried about this?

>Pls respond am not good with computer.

Yes you should. Even if the API intends to do this, it can probably be bypassed. Even if it's well designed (it isn't), it can probably be bypassed with side channels. The first step is to disable JS. The second step CSS. The third step, stop using web browsers. Fact: There are hundreds of browser vulnerabilities discovered every day, and lots patched every day.

this is nothing new, and no, it's not an issue

websites can't just load files from your computer, and if you think they can, you don't know shit about how web browsers work

the only way they could do that is through some code execution exploit in your browser that would allow an attacker to perform remote code execution, but that has absolutely nothing to do with file://

>>1033105

>The first step is to disable JS. The second step CSS

Neither of these stops the page from linking a local address from an image.

>>1033123

they cant use javascript tricks to get the file if its disabled

They can only get files via selecting them with the upload dialog box.

>>1033093 (OP)

Nigger, are you retarded? This is like when internet newfags post the path of their directory in an attempt to upload an image.

>>1033177

/home/anon/Pictures/super_funny_meemee_XD.jpg

Which is why you should use firejail to prevent browsers from looking at your home directory

>>1033184

this.

https://www.extremetech.com/computing/51140-netscape-and-mozilla-share-msie-filestealing-bug

>2002

Doubt its the first example either. Its been around a long time.

>>1033093 (OP)

2001 called, they want their exploit back.

Everytime someone posts a retarded thread like this it astounds me that retards like this can even exist.

But then i realise, this is the norm, this is what current year technomagic fags actually think.

I want to die.

How feasible would it be to websites start providing their js scripts instead of just loading it everytime?

Take for example 8chan.

Instead of loading the JS from the server(it could change at any time to get your IP through a vulnerability), they would provide the JS they run so that you can read it and then add it yourself, so you can run all the benefits of JS while on a VPN and being totally safe, since you've read the code that is running.

>>1033165

What if they can use this to check if a file exists?

Then they could know if you installed a certain package, too.

>>1033300

You can already do that, just copypaste 8chan's scripts into greasemonkey or something, and then use another plugin like uMatrix to block scrips from 8chan.

They can do that especially on windows or mac but also linux.

They can just do frameset-alike targeting html tags on your local files and check for responses or errors (you can even attach debugger in JS!). Let's say you have profile picture on C:/favicon.ico can also do %appdata%/ms/ thumbnails db, ie cookies/history, profile picture on new windows, browser cache favicon.ico etc etc etc they can then screenshot or fetch it with the magic of turing complete Javascript and even hide the code under a base64 -> ??? -> base64 -> html script tags so you'd mistake as just another bloated URI (actually they're very dangerous!).

What's stopping them from doing so? It's free, just neckbeard and no funding required. We hacked android with a measly png file, we hacked windows with a INI text file, an entire server with a malformed GIF, ruby, command address injection on OS or on SQL.

The world is your cloyster.

If you're one of those "proof I don't believe you" people then I'll tell you that they can fingerprint your entire system font list with a simple JS.

Sometimes even a few bytes - bites!

>>1033156

I've been to some parts of the deep web and there is this URI html comment generated for users that works as a fingerprint-level session cookie and since it is written in the page, there is no way to delete it. Now come back and disable your js, css, and html5 when the server itself can reverse your machine name, lookup your dns, your IP, network latency and response, and time+millisecond RTC difference. You already lost before you even had the time to pick up your sword.

>>1033348

>system font list

this is the thing I never get, how is that something privacy-invasive?

Like, if you don't do ricing/photo editing or something then your system fonts are the same as over9000 other computers in the world tbh

>>1033353

Some programs like adobe and word processors may install fonts.

>>1033360

Also different distributions may have different ones.

>>1033353

>cianigger windows update installs unique font into your computer to ID you

this works but if they haven't done this yet, expect them doing so now that they know

>this >>1033361

tbh just disable javascript and %99 of the fluorescent black persons can't access your computer or cp stash in it you disgusting pedo kill yourself

That's for accessing C:\ when gay restrictions block it

>>1033098

Do we know this for sure? In every browser?

>>1037842

wasnt something like this used to get the real ip if a tor user

>>1033093 (OP)

that's a CUTE crocodile!

>>1033093 (OP)

Please kill yourself immediately, you colossal fucking retard.

I mean it's not really a dumb question, it would be a legitimate security risk had browsers not implemented specific protections against this kind of attack

wouldn't you in some way get into trouble because of CORS trying to do that? Or does the CORS policy (=forbidden by default, which makes testing that restapi you just built a real pain in the ass) only act on things downloaded, not things uploaded?

Yes, and hackers have been uploading ALL of your personal data to their servers via XHR for over a decade. But don't tell anyone. Keep it between us.

>>1041065

"chromium --disable-web-security"

"Pain in ass"

>>1041775

Like testing REST api by browser isn't enough cringe.

>>1033093 (OP)

Javascript doesn't work cross domain

>>1033093 (OP)

>I realized that web browsers can load files from the local file system with this protocol:

welcome to 1995

>>1034520

>meme that is not worth saving (not cute or fun)

>low quality image in PNG

>0.4MP with plain background

>357KB

Can you stop posting your stegshits for a while?

Don't run your web browser and other shit on an account that has access to /var/log, duh.

As noted, it's easily mitigated by same origin policy or whatever. In this case, content fetched over http(s):// cannot fetch content over file://

Your example works probably because you open that document over file:// too. Try to fetch it from a webserver and see what happens.

Though the question is not stupid, IMO. Like, if you don't know how exactly a particular implementation of a browser works, you shouldn't just assume it doesn't steal your wallet the moment you go online LOL.

>>1033093 (OP)

>he didn't already know this

The fuck?

>Should I be worried about this?

No. The "file://" would refer to files on the server, not your local machine.

Even if it were possible through some kind of an exploit you can always restrict your browser to it's own folder by using permissions so that it can't leave the folder and access your files.

>>1033123

it's as if you didn't even read what you're replying to

>>1046883

no, file:// refers to files on your local filesystem. now shut the fuck up. no current OS offers a practical way to support the permissions you claim either. it's just UNIX turds everywhere

>>1046861

>fundamental retardism in the browser is easily mitigated by using a complex meme piece of shit which has never been anything more than a bandaid

what could over go wrong?

slowpoke.xss.png.js

>>1046890

I literally just tested it and it doesn't work.

>practical way to support the permissions you claim

Android and GNU do, retard.

>>1046909

In android's case it just won't have access to files.