BLOCKING FILE SYSTEM ACCESS -- DANGEROUS ALLOWANCE -- IDEAS & SUGGESTIONS
Hello to all,
I was searching on Google how to block file:///C:/ or file:///D:/ because this is dangerous to allow!!! Shocking! And this is still not fixed after years of developments... Why? To keep this allowed makes it too easy for hackers, especially with multiple screens and a shadow/background screens available which can be running in the background, not seen, when hackers do that.. Kind of the way TeamViewer allows help to be provided remotely. Kind of screen sharing. Oh well...
Maybe need lots of complaints from you all to get this changed?..
Try yourselves to use file://C:/ with 2 // and file:///C:/ with 3 // and both are allowing access to the whole file system and any data file. BONKERS??? But why to use 3 /// if 2 // still works? Insider's job or programming conflict? Why would Firefox programmers allow that? I do not understand...
I tried to use selective website blocker, but for file:/// that addon says that the page is not supported... Maybe another type of addon could be developed for this to be blocked and secured once and for all, but not sure if Firefox would allow such an access or such a blocking. May cause issues with Downloads and accessing download folder from within Firefox. HOWEVER, they could block any system or file access from the ADDRESS BAR and SEARCH BAR and then do a work-around solution by developing a special warning 'dialog message' each time when any user (owner or remote user) tries to access forlder to see or use any file. That would be a lot like a guest account requiring password to access special folder or file, or wants to perform an action usually not allowed for a guest user. Password is required for that each time, or at leats a visual confirmation. That would help, I hope...
Would need to re-educate users after this! TOO DANGEROUS TO KEEP THIS IN SUCH A WAY AS IT IS NOW!!!!
DOES FIREFOX TEAM UNDERSTAND THIS? Maybe they forgot about this, maybe they did not figure out how to solve this, or maybe someone from an inside is helping hackers to have a very easy access? Not sure, but this "open doors to all system and data files for anyone" is shocking!
What about business or government people? What about online bullying and harrassment? What about privacy about which Firefox writes so much? Need more complaints to make this a serious issue. So, everyone, please write your own comments or complaints to Firefox and Chrome directly and maybe they will listen. This may take more work than we think, but my ideas may help. What about your ideas? Express them below and maybe they will help as well.
You all can ask them for this to be blocked or solved, so ask. Maybe my ideas will help to get this moving. Write your own to them as well. And Microsoft may need to get involved as well because Firefox, and from what I read, Chrome allows this too... Other browsers may be doing that as well...!!!!!! There are loads of various browsers available!!!! I read something about Windows Policies, but I do not understand what that is...
(( !!! )) If any of you will try any system changes in an attempt to try solving this issue, make sure you are okay to risk with crashed system requiring reinstall or recovery to be used, and then, write down all the changes you do in detail before carrying any further and applying them because that may ruin the system without a way to recover it.
Thank you in advance.
Chosen solution
jscher2000, it feels that you are not as Security savvy as you think you are. Good that the GSEC expired for you. To be so certain with security when you are obviously not caring or not well educated about the hacking is dangerous! Stay away from that and mind your own business only at what you are good at.
If you would see what I wrote in security Facebook groups, you would probably shut up and stop commenting trying to portray yourself as all-knowing... I do not need GSEC to be considered as smart, I am smart without having diplomas such as PHD or Bachelors or similar. Very well educated people are making so many mistakes that it is scary to even start thinking about them. Life is life, diploma is just that. Need to care and to be a honest person! Being fake is being fake. Fake == Fake. Ouch, eh? Stop trying to portray yourself as very smart whilst hiding behind an expired diploma and biased claims or information because that is ridiculous.
1 --------------------------------------
TO: Ethical Hacking / Cyber Security
REGARDING: WordPress Websites Attacked via File Manager Plugin Vulnerability
Please take serious measures to defend address and search bar inputs for Firefox, Chrome and other browsers. FILE SYSTEM IS FULLY ACCESSIBLE THERE WITH A SIMPLE COMMAND LIKE FILE://....... WHAT IS A BIG FLAW IN MY OPINION! This is the first problem. File manager could also be improved by prompting users each time before file system or any file from a browser is accessed.
Also, it may be useful to isolate addon installation folders to another location, maybe to the ROAMING folder in User's AppData, and their processes are probably best to be done there rather than all of them being allowed to be installed and processed within the Mozilla or Chrome folder. Also, browser developers need to invest more time in security rather than upgrades.... That will provide better security and reliability.
2 ----------------------------------------------------------- TO: Ethical Hacking / Cyber Security REGARDING: What Programming Languages Do Ethical Hackers Use?
I think that this may be useful for you: 1. Stop using https where it is not needed. 2. Put receivable data into a separate folder or server (separate). 3. Separate .js and .css from .html files into their own files and secure all of them. HTML files are to be read only and not supposed to collect or process info/data. 4. Confidential data must be encoded and stored in at least 1 other place as a backup. Then, data can be separated from user login details and banking details into 2 places and each secured differently to provide more security.
3 ------------------------------------------------------------------------------------------- TO: Cybersecurity and Infrastructure Security Agency / Ethical Hacking / Cyber Security
If there are too many packets incoming, is there an expectancy for that in the system? THINK ABOUT THIS... Were there requests for that which would have occured if any amount of logged-in users would have entered into a specific page and tried to upload some kind of data? If someone is going to let's say Facebook or Twitter or else website and logs in, then user has to enter into a specific page and click onto a specific link before any user can upload or access any data which is not displayed by deafult. So, even if user would click onto a "comment" or a "new topic" area to write something, that is already considered as a request to start typying. If there are not enough of requests and a system is receiving too many packets, that means someone is trying to breach in. Simple? Does that make sense? If no, ask something specific.
You all need to use more logic or a better logic in the programming and security services. Criminals are often struggling with that and that would help them to do less crime. Thank you for looking into this.
As you can now see, I know what I am writing about! I do care and I help to make positive changes whereas you are appearing to be a miserable deceiver. GO AWAY! This was my last response. I will refuse to waste any more of my time with you. Get better. Happy Christmas. BYE!
All Replies (6)
I'm not sure I understand why you think this is dangerous.
I don't think you are objecting to a user looking at files on their own computer using Firefox (although that mostly won't work because most files are not a format Firefox can read).
This feature is not directly available to websites or, as you discovered, to add-ons. They definitely have thought about that risk.
In your scenario of an intruder already on your system, they will get much better results using Windows' File Explorer or a similar tool than using a browser.
That all said, Firefox 83 introduced a new policy feature to block file system browsing access. I haven't tested it, but here are some resources if you want to try it when you update to that version:
You do not understand maybe because you have no education in cyber security and file system access and privacy and etc. That is your choice to express in such a way, but at least do not try to deny that when you seemingly have no understanding about that or maybe there is or are other reason(s) regarding this matter which you hide or do not want to accept.
In relation to you accusing me with an objection to user looking at personal files through FIrefox, I think you are on the wrong side. That is your choice, but do not try to deny security issues in relation to what I wrote about! FIY, files can be snatched and then later seen on another system by hackers who can hack even wi-fi networks with not-so-safe encodings even though there are passwords set on them for security and privacy reasons.
Again, you are proving yourself that you are either having no idea what you are writing about or that you are on the other side of the topic...
Why to hack file system if an easier access is left within the Firefox? Why for a thief to break in through the front door if it is easier to choose a side window or a back door? What will you reply with nthis time? Or will you stay quiet and start unraveling your own bias?
In relation to your expression, you being so educated should know that we are communicating in writing, not in a verbal way. So, no sayings here, please.
Thank you for the links provided. Bye.
Modified by XERRAX
Well, I let my GSEC certification expire in 2008, so I can't claim to be up-to-date. However, please explain to me how a website would access a file on my computer without my intentionally clicking a Browse button created by an <input type="file"> tag to upload a file. That seems to be a missing link in your argument.
So, you did not bother with that. Certification does not imply that you know enough about industry or relevant topic like toxic cancer cures are killing people for profit while lots of natural cures and treatments are available, but do not worry about that as long as you aim to earn 200,000 per year and complain that it is not enough whilst killing people for profit and toxifying waters and nature with all those toxic substances.
Bypassing links is simple, but you can continue living in ignorance. It is also not necessary to access file to get system's access. First need to get into the system and make temporary stay for browsing more secure for personal gains. But keep on absorbing all the flawed learning from the books, if that is enough, yet then do not try to claim being smart with that GSEC. Many hackers do not study or read any of that and yet at 15 years old manage to hack pentagon and other places at ease. Security, pfft.
For hacking to be less effective, they should at first be more proactive in educating from more than one source and think about that from more than one perspective.
Hi XERRAX, what does this mean:
It is also not necessary to access file to get system's access. First need to get into the system and make temporary stay for browsing more secure for personal gains.
If you are aware of a specific way to exploit Firefox, don't waste your time posting on the forum, file a bug and mark it security sensitive. https://bugzilla.mozilla.org/
For hacking to be less effective, they should at first be more proactive in educating from more than one source and think about that from more than one perspective.
Many Firefox users subscribe to the Mozilla newsletter. https://www.mozilla.org/newsletter/ If you want to contribute an article educating end users about hacking, you could propose one for publication there.
Chosen Solution
jscher2000, it feels that you are not as Security savvy as you think you are. Good that the GSEC expired for you. To be so certain with security when you are obviously not caring or not well educated about the hacking is dangerous! Stay away from that and mind your own business only at what you are good at.
If you would see what I wrote in security Facebook groups, you would probably shut up and stop commenting trying to portray yourself as all-knowing... I do not need GSEC to be considered as smart, I am smart without having diplomas such as PHD or Bachelors or similar. Very well educated people are making so many mistakes that it is scary to even start thinking about them. Life is life, diploma is just that. Need to care and to be a honest person! Being fake is being fake. Fake == Fake. Ouch, eh? Stop trying to portray yourself as very smart whilst hiding behind an expired diploma and biased claims or information because that is ridiculous.
1 --------------------------------------
TO: Ethical Hacking / Cyber Security
REGARDING: WordPress Websites Attacked via File Manager Plugin Vulnerability
Please take serious measures to defend address and search bar inputs for Firefox, Chrome and other browsers. FILE SYSTEM IS FULLY ACCESSIBLE THERE WITH A SIMPLE COMMAND LIKE FILE://....... WHAT IS A BIG FLAW IN MY OPINION! This is the first problem. File manager could also be improved by prompting users each time before file system or any file from a browser is accessed.
Also, it may be useful to isolate addon installation folders to another location, maybe to the ROAMING folder in User's AppData, and their processes are probably best to be done there rather than all of them being allowed to be installed and processed within the Mozilla or Chrome folder. Also, browser developers need to invest more time in security rather than upgrades.... That will provide better security and reliability.
2 ----------------------------------------------------------- TO: Ethical Hacking / Cyber Security REGARDING: What Programming Languages Do Ethical Hackers Use?
I think that this may be useful for you: 1. Stop using https where it is not needed. 2. Put receivable data into a separate folder or server (separate). 3. Separate .js and .css from .html files into their own files and secure all of them. HTML files are to be read only and not supposed to collect or process info/data. 4. Confidential data must be encoded and stored in at least 1 other place as a backup. Then, data can be separated from user login details and banking details into 2 places and each secured differently to provide more security.
3 ------------------------------------------------------------------------------------------- TO: Cybersecurity and Infrastructure Security Agency / Ethical Hacking / Cyber Security
If there are too many packets incoming, is there an expectancy for that in the system? THINK ABOUT THIS... Were there requests for that which would have occured if any amount of logged-in users would have entered into a specific page and tried to upload some kind of data? If someone is going to let's say Facebook or Twitter or else website and logs in, then user has to enter into a specific page and click onto a specific link before any user can upload or access any data which is not displayed by deafult. So, even if user would click onto a "comment" or a "new topic" area to write something, that is already considered as a request to start typying. If there are not enough of requests and a system is receiving too many packets, that means someone is trying to breach in. Simple? Does that make sense? If no, ask something specific.
You all need to use more logic or a better logic in the programming and security services. Criminals are often struggling with that and that would help them to do less crime. Thank you for looking into this.
As you can now see, I know what I am writing about! I do care and I help to make positive changes whereas you are appearing to be a miserable deceiver. GO AWAY! This was my last response. I will refuse to waste any more of my time with you. Get better. Happy Christmas. BYE!
Modified by XERRAX