Alright Zig Forums, I have been doing some computering lately and I realized that web browsers can load files from the local file system with this protocol: file:// Could CIAniggers use this to load files from paths that are always the same and then send them off with JavaScript in order to find out information about you? Like these: C:\WindowsC:\ProgramData/var/log/etc/home/ When I put this:
into a html file and open it, It loads the Debian icon.
Should I be worried about this? Pls respond am not good with computer.
Locally opened files have different rules than websites that you load, other websites can't do that.
Jordan Gray
Ok, good. Thats a relief.
Xavier Torres
Yes you should. Even if the API intends to do this, it can probably be bypassed. Even if it's well designed (it isn't), it can probably be bypassed with side channels. The first step is to disable JS. The second step CSS. The third step, stop using web browsers. Fact: There are hundreds of browser vulnerabilities discovered every day, and lots patched every day.
Angel Murphy
this is nothing new, and no, it's not an issue websites can't just load files from your computer, and if you think they can, you don't know shit about how web browsers work the only way they could do that is through some code execution exploit in your browser that would allow an attacker to perform remote code execution, but that has absolutely nothing to do with file://
Bentley Morales
Neither of these stops the page from linking a local address from an image.
Jack Mitchell
they cant use javascript tricks to get the file if its disabled
Austin White
They can only get files via selecting them with the upload dialog box.
Bentley Phillips
Nigger, are you retarded? This is like when internet newfags post the path of their directory in an attempt to upload an image.
Jackson Rogers
/home/user/Pictures/super_funny_meemee_XD.jpg
Cooper Sanchez
Which is why you should use firejail to prevent browsers from looking at your home directory
Everytime someone posts a retarded thread like this it astounds me that retards like this can even exist. But then i realise, this is the norm, this is what current year technomagic fags actually think. I want to die.
Ryder Parker
She looks clumsy so she is cute! So I wanna rape her!
Landon Rogers
How feasible would it be to websites start providing their js scripts instead of just loading it everytime? Take for example Zig Forums. Instead of loading the JS from the server(it could change at any time to get your IP through a vulnerability), they would provide the JS they run so that you can read it and then add it yourself, so you can run all the benefits of JS while on a VPN and being totally safe, since you've read the code that is running.
What if they can use this to check if a file exists? Then they could know if you installed a certain package, too.
Austin Edwards
You just brought back memories from 16 years ago, man. I was such a retard...
You can already do that, just copypaste Zig Forums's scripts into greasemonkey or something, and then use another plugin like uMatrix to block scrips from Zig Forums.
Anthony Jenkins
They can do that especially on windows or mac but also linux. They can just do frameset-alike targeting html tags on your local files and check for responses or errors (you can even attach debugger in JS!). Let's say you have profile picture on C:/favicon.ico can also do %appdata%/ms/ thumbnails db, ie cookies/history, profile picture on new windows, browser cache favicon.ico etc etc etc they can then screenshot or fetch it with the magic of turing complete Javascript and even hide the code under a base64 -> ??? -> base64 -> html script tags so you'd mistake as just another bloated URI (actually they're very dangerous!). What's stopping them from doing so? It's free, just neckbeard and no funding required. We hacked android with a measly png file, we hacked windows with a INI text file, an entire server with a malformed GIF, ruby, command address injection on OS or on SQL. The world is your cloyster. If you're one of those "proof I don't believe you" people then I'll tell you that they can fingerprint your entire system font list with a simple JS. Sometimes even a few bytes - bites!
Brody Parker
I've been to some parts of the deep web and there is this URI html comment generated for users that works as a fingerprint-level session cookie and since it is written in the page, there is no way to delete it. Now come back and disable your js, css, and html5 when the server itself can reverse your machine name, lookup your dns, your IP, network latency and response, and time+millisecond RTC difference. You already lost before you even had the time to pick up your sword.
Nathaniel Peterson
this is the thing I never get, how is that something privacy-invasive? Like, if you don't do ricing/photo editing or something then your system fonts are the same as over9000 other computers in the world tbh
Leo Brown
Some programs like adobe and word processors may install fonts.
Samuel Howard
Also different distributions may have different ones.
Jackson Johnson
this works but if they haven't done this yet, expect them doing so now that they know
tbh just disable javascript and %99 of the fluorescent black persons can't access your computer or cp stash in it you disgusting pedo kill yourself
Landon Perez
That's for accessing C:\ when gay restrictions block it
Dylan Ward
Do we know this for sure? In every browser?
Jayden Hughes
wasnt something like this used to get the real ip if a tor user
Levi Morgan
that's a CUTE crocodile!
Christopher Murphy
Please kill yourself immediately, you colossal fucking retard.
Josiah Foster
I mean it's not really a dumb question, it would be a legitimate security risk had browsers not implemented specific protections against this kind of attack
Andrew Collins
wouldn't you in some way get into trouble because of CORS trying to do that? Or does the CORS policy (=forbidden by default, which makes testing that restapi you just built a real pain in the ass) only act on things downloaded, not things uploaded?
Grayson Scott
Yes, and hackers have been uploading ALL of your personal data to their servers via XHR for over a decade. But don't tell anyone. Keep it between us.
Kayden White
"chromium --disable-web-security" "Pain in ass"
Alexander Hughes
Like testing REST api by browser isn't enough cringe.
Charles Davis
Javascript doesn't work cross domain
Xavier Taylor
welcome to 1995
Aiden Gomez
Can you stop posting your stegshits for a while?
Jose Sanders
Don't run your web browser and other shit on an account that has access to /var/log, duh.
Brayden James
As noted, it's easily mitigated by same origin policy or whatever. In this case, content fetched over http(s):// cannot fetch content over file:// Your example works probably because you open that document over file:// too. Try to fetch it from a webserver and see what happens.
Though the question is not stupid, IMO. Like, if you don't know how exactly a particular implementation of a browser works, you shouldn't just assume it doesn't steal your wallet the moment you go online LOL.
Camden Campbell
The fuck? No. The "file://" would refer to files on the server, not your local machine. Even if it were possible through some kind of an exploit you can always restrict your browser to it's own folder by using permissions so that it can't leave the folder and access your files.
Jaxson Anderson
it's as if you didn't even read what you're replying to
no, file:// refers to files on your local filesystem. now shut the fuck up. no current OS offers a practical way to support the permissions you claim either. it's just UNIX turds everywhere
Nolan Nelson
what could over go wrong?
Chase Ortiz
slowpoke.xss.png.js
Ryder Walker
I literally just tested it and it doesn't work. Android and GNU do, retard.
Owen James
In android's case it just won't have access to files.
Ethan Garcia
HAPAS ARE SUPERIOR TO WHITES
Jordan Powell
HAPAS ARE SUPERIOR TO WHITES
Luke Baker
HAPAS ARE SUPERIOR TO WHITES
Logan Jones
HAPAS ARE SUPERIOR TO WHITES
John Parker
HAPAS ARE SUPERIOR TO WHITES
Samuel Richardson
HAPAS ARE SUPERIOR TO WHITES
Lincoln Howard
HAPAS ARE SUPERIOR TO WHITES
Nicholas Moore
HAPAS ARE SUPERIOR TO WHITES
Jose Stewart
HAPAS ARE SUPERIOR TO WHITES
Carson Martin
HAPAS ARE SUPERIOR TO WHITES
Henry King
This is fucking outrageous. Fuck the jews and everyone who let this happen.
Dylan Johnson
Whatcha saying schlomo?
Nicholas Wilson
Looks like some Soros-funded controlled opposition to me.
Jace Morgan
These are our enemies. Why are we supporting them?
Jacob Ramirez
...
Juan Flores
...
Tyler Green
Go back to reddit.
Mason Johnson
My single test on my single system had a single result that I will proclaim universally reproducible across all systems.
