Firefox Focus Bug - File Stealing

UPDATED: Firefox 2.0.0.8 supposedly resolves this vulnerability. It will be interesting to see when a new file stealing vulnerability is found.

It is no secret that Mozilla Firefox has had a series of focus related bugs involving the file input type.

Here are just a few examples of past problems that have been reported:

The latest was reported by carl hardwick to full-disclosure in June 2007 and included a very simple PoC.

The Bugzilla entry for this doesn't seem to display much sense of urgency. Firefox 2.0.x.y appears to be around until at least April 2008 according to the ReleaseRoadmap. It would be nice if this was fixed before Firefox 2 gets EOL'd. Given past history, current odds on looks like it won't be, so I guess I won't be typing large blocks of text into Firefox anytime soon.

In any case, maybe people aren't getting the true flavor of the vulnerability and the possibility of exploitation since the proof-of-concept doesn't actually work that well. I thought I'd code up an actual demo and release it. The same basic vulnerability is being exploited: setting the focus to the label element associated with the file input element bypasses the focus handling on the file element. The demo is probably about a 90% solution because there is only one big textarea, some visual glitches and laggy behavior, and was only tested on a en-US keyboard layout (all of these could be improved given enough work). Even with those caveats, I think the demo makes a pretty convincing case that this might be something to take more seriously.

Pick a file from your machine you'd like to see stolen:
C:\boot.ini (Windows)
/etc/hosts (Unix)
~/.ssh/id_rsa.pub (crazy)
~/.gnupg/secring.gpg (totally insane)
Pick your own:

IMPORTANT: if you don't understand the risks, do not go any further!
I understand that by accessing this demo I am voluntarily allowing a file to be transferred from my computer across the Internet.

(Tested with Firefox 2.0.0.7)