Internal Affairs: Hacking File System Access from the Web

The presentation discusses the File System Access API, its implementation, and potential security vulnerabilities that can be exploited by malicious websites.

• The File System Access API allows websites to read, write, and edit files and folders on a user's device with their approval
• The API has been implemented in many Chromium-based browsers and has potential for standardization
• Several security features have been implemented, but there are still ways for hostile websites to gain arbitrary code execution and slip malicious code past security scans
• An anecdote is provided to illustrate how a website can use the API to gain access to a user's system and execute malicious code

The presenter demonstrates how a website can use the File System Access API to gain access to a user's system and execute malicious code by tricking the user into downloading a script that requests writable access to a file. The website retains write access to the file even after the user has run it in something else, allowing the website to add additional commands to the file and execute them without detection. The presenter notes that this attack only works with script-like execution types that do not maintain handles during execution.

The File System Access API deployed to browsers this year is the current version of a W3C draft to give websites, with user approval, the ability to read, write, and edit files and folders the user selects on their devices, an outgrowth of an earlier proposal called Native File System. It has been released and deployed in many Chromium-based browsers. Despite a number of security features implemented in the API, this presentation will show several ways in which a hostile website may gain arbitrary code execution and slip malicious code past operating system and security product scans, or even detailed, manual inspection.