ZeroNet icon indicating copy to clipboard operation
ZeroNet copied to clipboard
verified publisher icon ZeroNetX

Security hole in ZeroNet software! (Clearnet websites and zites can tracked what zites, files have in your PC with a malicious script)

Open mx5kevin opened this issue 3 years ago • 2 comments

Its possible to access through the browser another zites or clearnet sites to sensitive files.

See:

http://127.0.0.1:43110/1ScanCY9fjmjanDt7NwvyNQCL16hqWnVM/

Browsers leaks too many sensitive things! If the user set up TOR ALWAYS mode and use Tor Browser. The security can still be bypassed. The hole are breaking users anonymity through TOR+ with TOR browser. Can detect what zites and files are have the user through cleanet and zeronet zites. If the user open a malicious site the site can detect all zites and files what the user have. Plus the real IP behind TOR. With another vulnerability can detect the users real IP behind TOR the same technique.

That would be the solution a specific browser with only localhost access, and disable to access the software with all another browsers with clearnet access. Like TOR browser with a special plugin what only allow the communication through the browser using the TOR network and disable the communication to access the software with another browsers. This would patch these security holes.

mx5kevin avatar May 13 '22 07:05 mx5kevin

Not using my current primary web browser and a need to keep running second special fully featured web browser would be significant inconvenience.

Also i like cross-zite linking to images, videos. It reduces wasting of the disk space used by ZN (unless there is some effective ZN on-disk de-duplication mechanism). Some people link to clearnet images. I understand that thanks to this, bad person can record date, time, IP, browser detail of such a request and it may help to suggest a dedicated bad actor on what MAY be certain ZN user IP (after they also setup some monitoring of the zite changes etc.).

I am unsure about the title of this issue where it suggest script can read files on my PC. But i think there was some hole in ZN that may allowed this, and if there is high risk of such holes to appear again, it would be worth to apply some of the mx5kevin suggestions.

slrslr avatar May 16 '22 07:05 slrslr

Can't this be fixed by putting cross-origin headers and so on and so forth?

yanmaani avatar May 26 '22 20:05 yanmaani