Alright Zig Forums...

Alright Zig Forums, I have been doing some computering lately and I realized that web browsers can load files from the local file system with this protocol:
file://
Could CIAniggers use this to load files from paths that are always the same and then send them off with JavaScript in order to find out information about you?
Like these:
C:\WindowsC:\ProgramData/var/log/etc/home/
When I put this:

into a html file and open it, It loads the Debian icon.

Should I be worried about this?
Pls respond am not good with computer.

Attached: concerned anime aligator.png (290x288, 91.48K)

Other urls found in this thread:

extremetech.com/computing/51140-netscape-and-mozilla-share-msie-filestealing-bug

Locally opened files have different rules than websites that you load, other websites can't do that.

Ok, good. Thats a relief.

Yes you should. Even if the API intends to do this, it can probably be bypassed. Even if it's well designed (it isn't), it can probably be bypassed with side channels. The first step is to disable JS. The second step CSS. The third step, stop using web browsers. Fact: There are hundreds of browser vulnerabilities discovered every day, and lots patched every day.

this is nothing new, and no, it's not an issue
websites can't just load files from your computer, and if you think they can, you don't know shit about how web browsers work
the only way they could do that is through some code execution exploit in your browser that would allow an attacker to perform remote code execution, but that has absolutely nothing to do with file://

Neither of these stops the page from linking a local address from an image.

they cant use javascript tricks to get the file if its disabled

They can only get files via selecting them with the upload dialog box.

Nigger, are you retarded? This is like when internet newfags post the path of their directory in an attempt to upload an image.

/home/user/Pictures/super_funny_meemee_XD.jpg

Which is why you should use firejail to prevent browsers from looking at your home directory

this.

extremetech.com/computing/51140-netscape-and-mozilla-share-msie-filestealing-bug
Doubt its the first example either. Its been around a long time.

2001 called, they want their exploit back.

Everytime someone posts a retarded thread like this it astounds me that retards like this can even exist.
But then i realise, this is the norm, this is what current year technomagic fags actually think.
I want to die.

She looks clumsy so she is cute! So I wanna rape her!

How feasible would it be to websites start providing their js scripts instead of just loading it everytime?
Take for example Zig Forums.
Instead of loading the JS from the server(it could change at any time to get your IP through a vulnerability), they would provide the JS they run so that you can read it and then add it yourself, so you can run all the benefits of JS while on a VPN and being totally safe, since you've read the code that is running.

What if they can use this to check if a file exists?
Then they could know if you installed a certain package, too.

You just brought back memories from 16 years ago, man. I was such a retard...

Attached: serveimage.jpg (600x720, 496.63K)

You can already do that, just copypaste Zig Forums's scripts into greasemonkey or something, and then use another plugin like uMatrix to block scrips from Zig Forums.

They can do that especially on windows or mac but also linux.
They can just do frameset-alike targeting html tags on your local files and check for responses or errors (you can even attach debugger in JS!). Let's say you have profile picture on C:/favicon.ico can also do %appdata%/ms/ thumbnails db, ie cookies/history, profile picture on new windows, browser cache favicon.ico etc etc etc they can then screenshot or fetch it with the magic of turing complete Javascript and even hide the code under a base64 -> ??? -> base64 -> html script tags so you'd mistake as just another bloated URI (actually they're very dangerous!).
What's stopping them from doing so? It's free, just neckbeard and no funding required. We hacked android with a measly png file, we hacked windows with a INI text file, an entire server with a malformed GIF, ruby, command address injection on OS or on SQL.
The world is your cloyster.
If you're one of those "proof I don't believe you" people then I'll tell you that they can fingerprint your entire system font list with a simple JS.
Sometimes even a few bytes - bites!

I've been to some parts of the deep web and there is this URI html comment generated for users that works as a fingerprint-level session cookie and since it is written in the page, there is no way to delete it. Now come back and disable your js, css, and html5 when the server itself can reverse your machine name, lookup your dns, your IP, network latency and response, and time+millisecond RTC difference. You already lost before you even had the time to pick up your sword.

this is the thing I never get, how is that something privacy-invasive?
Like, if you don't do ricing/photo editing or something then your system fonts are the same as over9000 other computers in the world tbh

Some programs like adobe and word processors may install fonts.

Also different distributions may have different ones.

this works but if they haven't done this yet, expect them doing so now that they know

redit

God help us all what is this thread

Attached: eric.png (472x910, 357.4K)

tbh just disable javascript and %99 of the fluorescent black persons can't access your computer or cp stash in it you disgusting pedo kill yourself

That's for accessing C:\ when gay restrictions block it

Do we know this for sure? In every browser?

wasnt something like this used to get the real ip if a tor user

that's a CUTE crocodile!

Please kill yourself immediately, you colossal fucking retard.

I mean it's not really a dumb question, it would be a legitimate security risk had browsers not implemented specific protections against this kind of attack

wouldn't you in some way get into trouble because of CORS trying to do that? Or does the CORS policy (=forbidden by default, which makes testing that restapi you just built a real pain in the ass) only act on things downloaded, not things uploaded?

Yes, and hackers have been uploading ALL of your personal data to their servers via XHR for over a decade. But don't tell anyone. Keep it between us.

"chromium --disable-web-security"
"Pain in ass"

Like testing REST api by browser isn't enough cringe.

Javascript doesn't work cross domain

welcome to 1995

Can you stop posting your stegshits for a while?

Don't run your web browser and other shit on an account that has access to /var/log, duh.

As noted, it's easily mitigated by same origin policy or whatever. In this case, content fetched over http(s):// cannot fetch content over file://
Your example works probably because you open that document over file:// too. Try to fetch it from a webserver and see what happens.

Though the question is not stupid, IMO. Like, if you don't know how exactly a particular implementation of a browser works, you shouldn't just assume it doesn't steal your wallet the moment you go online LOL.

The fuck?
No. The "file://" would refer to files on the server, not your local machine.
Even if it were possible through some kind of an exploit you can always restrict your browser to it's own folder by using permissions so that it can't leave the folder and access your files.

it's as if you didn't even read what you're replying to

no, file:// refers to files on your local filesystem. now shut the fuck up. no current OS offers a practical way to support the permissions you claim either. it's just UNIX turds everywhere

what could over go wrong?

slowpoke.xss.png.js

I literally just tested it and it doesn't work.
Android and GNU do, retard.

In android's case it just won't have access to files.

HAPAS ARE SUPERIOR TO WHITES

HAPAS ARE SUPERIOR TO WHITES

HAPAS ARE SUPERIOR TO WHITES

HAPAS ARE SUPERIOR TO WHITES

HAPAS ARE SUPERIOR TO WHITES

HAPAS ARE SUPERIOR TO WHITES

HAPAS ARE SUPERIOR TO WHITES

HAPAS ARE SUPERIOR TO WHITES

HAPAS ARE SUPERIOR TO WHITES

HAPAS ARE SUPERIOR TO WHITES

This is fucking outrageous. Fuck the jews and everyone who let this happen.

Whatcha saying schlomo?

Looks like some Soros-funded controlled opposition to me.

These are our enemies. Why are we supporting them?

...

...

Go back to reddit.

My single test on my single system had a single result that I will proclaim universally reproducible across all systems.

Attached: niggles.jpg (400x301, 14.63K)

Such a fitting OP image, even the anime girl is unsure of herself.

Attached: 8b72e7032ef7596a78d1f9e69f49fac6901660ddfd3187af2fff99b56542f72f.jpg (360x318, 20.19K)