I've posted the first part of the demonstrations for the Mozilla Firefox file stealing vulnerabilities discussed in MFSA 2008-02: Multiple file input focus stealing vulnerabilities.
The page is available from here.
These demonstrations are currently available in Bugzilla, but I wanted to tie them together with some of the other file stealing vulnerabilities. There is quite of list of other Bugzilla entries detailing possible file stealing attacks, some of which reach all the way back to the year 2000.
I find the two demos very fascinating, because they represent failures to fully address a vulnerability. The original vulnerability was related to using the 'focus()' method to set the focus on a label. Unfortunately, not all of the code paths were examined and it was possible to redirect the focus by clicking on a nested label or by programmatically creating and sending a "click" MouseEvent.
- Nested label stealing: Firefox Focus Bug - File Stealing - DEMO (Bug #404391)
- MouseEvent "click" stealing: Firefox Focus Bug - File Stealing - DEMO (Bug #404391)
I will post the second part after I confirm that the other "spoofing" vulnerabilities were fully addressed in Opera.