Alright Zig Forums, I have been doing some computering lately and I realized that...

Jack Hernandez
Jack Hernandez

Alright Zig Forums, I have been doing some computering lately and I realized that web browsers can load files from the local file system with this protocol:
file://
Could CIAniggers use this to load files from paths that are always the same and then send them off with JavaScript in order to find out information about you?
Like these:
C:\Windows
C:\ProgramData
/var/log
/etc
/home/<user>

When I put this:
<img src="file:///etc/alternatives/start-here-16.png" alt="benis" />
into a html file and open it, It loads the Debian icon.

Should I be worried about this?
Pls respond am not good with computer.

Attached: concerned-anime-aligator.png (91.48 KB, 290x288)

Other urls found in this thread:

extremetech.com/computing/51140-netscape-and-mozilla-share-msie-filestealing-bug

Dominic Cruz
Dominic Cruz

Locally opened files have different rules than websites that you load, other websites can't do that.

Jordan Gray
Jordan Gray

Ok, good. Thats a relief.

Xavier Torres
Xavier Torres

Should I be worried about this?
Pls respond am not good with computer.
Yes you should. Even if the API intends to do this, it can probably be bypassed. Even if it's well designed (it isn't), it can probably be bypassed with side channels. The first step is to disable JS. The second step CSS. The third step, stop using web browsers. Fact: There are hundreds of browser vulnerabilities discovered every day, and lots patched every day.

Angel Murphy
Angel Murphy

this is nothing new, and no, it's not an issue
websites can't just load files from your computer, and if you think they can, you don't know shit about how web browsers work
the only way they could do that is through some code execution exploit in your browser that would allow an attacker to perform remote code execution, but that has absolutely nothing to do with file://

Bentley Morales
Bentley Morales

The first step is to disable JS. The second step CSS
Neither of these stops the page from linking a local address from an image.

Jack Mitchell
Jack Mitchell

they cant use javascript tricks to get the file if its disabled

Austin White
Austin White

They can only get files via selecting them with the upload dialog box.

Bentley Phillips
Bentley Phillips

Nigger, are you retarded? This is like when internet newfags post the path of their directory in an attempt to upload an image.

Jackson Rogers
Jackson Rogers

/home/user/Pictures/super_funny_meemee_XD.jpg

Cooper Sanchez
Cooper Sanchez

Which is why you should use firejail to prevent browsers from looking at your home directory

Isaac Clark
Isaac Clark

this.

Dominic Johnson
Dominic Johnson

extremetech.com/computing/51140-netscape-and-mozilla-share-msie-filestealing-bug
2002
Doubt its the first example either. Its been around a long time.

Jayden Lee
Jayden Lee

2001 called, they want their exploit back.

Grayson Lee
Grayson Lee

Everytime someone posts a retarded thread like this it astounds me that retards like this can even exist.
But then i realise, this is the norm, this is what current year technomagic fags actually think.
I want to die.

Ryder Parker
Ryder Parker

She looks clumsy so she is cute! So I wanna rape her!

Landon Rogers
Landon Rogers

How feasible would it be to websites start providing their js scripts instead of just loading it everytime?
Take for example Zig Forums.
Instead of loading the JS from the server(it could change at any time to get your IP through a vulnerability), they would provide the JS they run so that you can read it and then add it yourself, so you can run all the benefits of JS while on a VPN and being totally safe, since you've read the code that is running.
What if they can use this to check if a file exists?
Then they could know if you installed a certain package, too.

Austin Edwards
Austin Edwards

You just brought back memories from 16 years ago, man. I was such a retard...

Attached: serveimage.jpg (496.63 KB, 600x720)

Bentley Watson
Bentley Watson

You can already do that, just copypaste Zig Forums's scripts into greasemonkey or something, and then use another plugin like uMatrix to block scrips from Zig Forums.

Anthony Jenkins
Anthony Jenkins

They can do that especially on windows or mac but also linux.
They can just do frameset-alike targeting html tags on your local files and check for responses or errors (you can even attach debugger in JS!). Let's say you have profile picture on C:/favicon.ico can also do %appdata%/ms/ thumbnails db, ie cookies/history, profile picture on new windows, browser cache favicon.ico etc etc etc they can then screenshot or fetch it with the magic of turing complete Javascript and even hide the code under a base64 -> ??? -> base64 -> html script tags so you'd mistake as just another bloated URI (actually they're very dangerous!).
What's stopping them from doing so? It's free, just neckbeard and no funding required. We hacked android with a measly png file, we hacked windows with a INI text file, an entire server with a malformed GIF, ruby, command address injection on OS or on SQL.
The world is your cloyster.
If you're one of those "proof I don't believe you" people then I'll tell you that they can fingerprint your entire system font list with a simple JS.
Sometimes even a few bytes - bites!

Brody Parker
Brody Parker

I've been to some parts of the deep web and there is this URI html comment generated for users that works as a fingerprint-level session cookie and since it is written in the page, there is no way to delete it. Now come back and disable your js, css, and html5 when the server itself can reverse your machine name, lookup your dns, your IP, network latency and response, and time+millisecond RTC difference. You already lost before you even had the time to pick up your sword.

Nathaniel Peterson
Nathaniel Peterson

system font list
this is the thing I never get, how is that something privacy-invasive?
Like, if you don't do ricing/photo editing or something then your system fonts are the same as over9000 other computers in the world tbh

Leo Brown
Leo Brown

Some programs like adobe and word processors may install fonts.

Samuel Howard
Samuel Howard

Also different distributions may have different ones.

Jackson Johnson
Jackson Johnson

cianigger windows update installs unique font into your computer to ID you
this works but if they haven't done this yet, expect them doing so now that they know
this

Nathan Ramirez
Nathan Ramirez

redit

Hudson Stewart
Hudson Stewart

God help us all what is this thread

Attached: eric.png (357.4 KB, 472x910)

Mason Wright
Mason Wright

tbh just disable javascript and %99 of the fluorescent black persons can't access your computer or cp stash in it you disgusting pedo kill yourself

Landon Perez
Landon Perez

That's for accessing C:\ when gay restrictions block it

Dylan Ward
Dylan Ward

Do we know this for sure? In every browser?

Jayden Hughes
Jayden Hughes

wasnt something like this used to get the real ip if a tor user

Levi Morgan
Levi Morgan

that's a CUTE crocodile!

Christopher Murphy
Christopher Murphy

Please kill yourself immediately, you colossal fucking retard.

Josiah Foster
Josiah Foster

I mean it's not really a dumb question, it would be a legitimate security risk had browsers not implemented specific protections against this kind of attack

Andrew Collins
Andrew Collins

wouldn't you in some way get into trouble because of CORS trying to do that? Or does the CORS policy (=forbidden by default, which makes testing that restapi you just built a real pain in the ass) only act on things downloaded, not things uploaded?

Grayson Scott
Grayson Scott

Yes, and hackers have been uploading ALL of your personal data to their servers via XHR for over a decade. But don't tell anyone. Keep it between us.

Kayden White
Kayden White

"chromium --disable-web-security"
"Pain in ass"

Alexander Hughes
Alexander Hughes

Like testing REST api by browser isn't enough cringe.

Charles Davis
Charles Davis

Javascript doesn't work cross domain

Xavier Taylor
Xavier Taylor

I realized that web browsers can load files from the local file system with this protocol:
welcome to 1995

Aiden Gomez
Aiden Gomez

meme that is not worth saving (not cute or fun)
low quality image in PNG
0.4MP with plain background
357KB
Can you stop posting your stegshits for a while?

Jose Sanders
Jose Sanders

Don't run your web browser and other shit on an account that has access to /var/log, duh.

Brayden James
Brayden James

As noted, it's easily mitigated by same origin policy or whatever. In this case, content fetched over http(s):// cannot fetch content over file://
Your example works probably because you open that document over file:// too. Try to fetch it from a webserver and see what happens.

Though the question is not stupid, IMO. Like, if you don't know how exactly a particular implementation of a browser works, you shouldn't just assume it doesn't steal your wallet the moment you go online LOL.

Camden Campbell
Camden Campbell

he didn't already know this
The fuck?
Should I be worried about this?
No. The "file://" would refer to files on the server, not your local machine.
Even if it were possible through some kind of an exploit you can always restrict your browser to it's own folder by using permissions so that it can't leave the folder and access your files.

Jaxson Anderson
Jaxson Anderson

it's as if you didn't even read what you're replying to
no, file:// refers to files on your local filesystem. now shut the fuck up. no current OS offers a practical way to support the permissions you claim either. it's just UNIX turds everywhere

Nolan Nelson
Nolan Nelson

fundamental retardism in the browser is easily mitigated by using a complex meme piece of shit which has never been anything more than a bandaid
what could over go wrong?

Chase Ortiz
Chase Ortiz

slowpoke.xss.png.js

Ryder Walker
Ryder Walker

I literally just tested it and it doesn't work.
practical way to support the permissions you claim
Android and GNU do, retard.

Owen James
Owen James

In android's case it just won't have access to files.

Ethan Garcia
Ethan Garcia

HAPAS ARE SUPERIOR TO WHITES

Jordan Powell
Jordan Powell

HAPAS ARE SUPERIOR TO WHITES

Luke Baker
Luke Baker

HAPAS ARE SUPERIOR TO WHITES

Logan Jones
Logan Jones

HAPAS ARE SUPERIOR TO WHITES

John Parker
John Parker

HAPAS ARE SUPERIOR TO WHITES

Samuel Richardson
Samuel Richardson

HAPAS ARE SUPERIOR TO WHITES

Lincoln Howard
Lincoln Howard

HAPAS ARE SUPERIOR TO WHITES

Nicholas Moore
Nicholas Moore

HAPAS ARE SUPERIOR TO WHITES

Jose Stewart
Jose Stewart

HAPAS ARE SUPERIOR TO WHITES

Carson Martin
Carson Martin

HAPAS ARE SUPERIOR TO WHITES

Henry King
Henry King

This is fucking outrageous. Fuck the jews and everyone who let this happen.

Dylan Johnson
Dylan Johnson

Whatcha saying schlomo?

Nicholas Wilson
Nicholas Wilson

Looks like some Soros-funded controlled opposition to me.

Jace Morgan
Jace Morgan

These are our enemies. Why are we supporting them?

Jacob Ramirez
Jacob Ramirez

e-celeb thread

Juan Flores
Juan Flores

e-celeb thread

Tyler Green
Tyler Green

Go back to reddit.

Mason Johnson
Mason Johnson

I literally just tested it and it doesn't work.
My single test on my single system had a single result that I will proclaim universally reproducible across all systems.

Attached: niggles.jpg (14.63 KB, 400x301)

Camden Perez
Camden Perez

Such a fitting OP image, even the anime girl is unsure of herself.

Attached: 8b72e7032ef7596a78d1f9e69f49fac6901660ddfd3187af2fff99b56542f72f.jpg (20.19 KB, 360x318)