[WICG/directory-upload] Security issue of directory upload: pretend to download when actaully to upload a directory (#38) from Duan Yao on 2016-05-06 (public-webapps-github@w3.org from May 2016)

From: Duan Yao <notifications@github.com>
Date: Thu, 05 May 2016 20:35:13 -0700
To: WICG/directory-upload <directory-upload@noreply.github.com>
Cc:
Message-ID: <WICG/directory-upload/issues/38@github.com>

This issue was [reported by alibaba.com](https://security.alibaba.com/blog/blog.htm?spm=0.0.0.0.IYip0H&id=3) and further demostrated [here](http://blog.knownsec.com/2015/11/html5-upload-folder-with-webkitdirectory-phishing/).

For those who don't read Chinese, I rephrase this issue as follow:

1. A malicious web page show a button: "Click to download X software for free!"
2. When a user click the button, the web page triggers a directory upload dialog.
3. The user may overlook that the dialog is not "save as" but "select a directory to upload" and select a directory to save the file.
4. The web page upload the directory to attacker's server.
5. The web page may show a message: "Download failed, please retry", and replace the button mentioned above with a normal download button. So the user won't realize that upload instead of download happened.

I think UAs may show a warning dialog before showing the directory upload dialog: "The site xxx is asking you to upload a directory. Depending on the content of the directory, this may leak your personal information. Continue?"

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/WICG/directory-upload/issues/38

Received on Friday, 6 May 2016 03:38:02 UTC