This is a personal blog. My other stuff: book | home page | Twitter | prepping | CNC robotics | electronics

May 30, 2012

Yes, you can have fun with downloads

It is an important and little-known property of web browsers that one document can always navigate other, non-same-origin windows to arbitrary URLs; in more limited circumstances, even individual frames can be targeted. I discuss the consequences of this behavior in The Tangled Web - and several months ago, I shared this amusing proof-of-concept illustrating the perils of this logic: Today, I wanted to showcase a more sneaky consequence of this design - and depending on who you ask, one that is possibly easier to prevent.

What's the issue, then? Well, it's pretty funny: predictably but not very intuitively, the attacker may initiate such cross-domain navigation not only to point the targeted window to a well-formed HTML document - but also to a resource served with the Content-Disposition: attachment header. In this scenario, the address bar of the targeted window will not be updated at all - but a rogue download prompt will appear on the screen, attached to the targeted document.

Here's an example of how this looks in Chrome; the fake flash11_updater.exe download supposedly served from is, in reality, supplied by the attacker:

All the top three browsers are currently vulnerable to this attack; some provide weak cues about the origin of the download, but in all cases, the prompt is attached to the wrong window - and the indicators seem completely inadequate.

You can check out the demo here:

The problem also poses an interesting challenge to sites that frame gadgets, games, or advertisements from third-party sources; even HTML5 sandboxed frames permit the initiation of rogue downloads (oops!).

Vendor responses, for the sake of posterity:

  • Chrome: reported March 30 (bug 121259). Fix planned, but no specific date set.

  • Internet Explorer: reported April 1 (case 12372gd). The vendor will not address the issue with a security patch for any current version of MSIE.

  • Firefox: reported March 30 (bug 741050). No commitment to fix at this point.
I think these responses are fine, given the sorry state of browser UI security in general; although in good conscience, I can't dismiss the problem as completely insignificant.


  1. For the record in Opera 11.64 the download dialog shows "From: attackers hostname" rather clearly, but the dialog is attached to victim's window.

  2. FWIW, Opera does that at least as far back as v11.0.

    Firefox does something similar, displaying, as the third line of information about the pending download (if you don't have it set to do stuff automatically) "from:".

    This is, I presume, what Michal referred to as "some provid[ing] weak cues about the origin of the download".

    OK, so Michal, you and I noticed, but few, if any, "ordinary users" would notice, or care about, such (to them) trifling matters. I agree with Michal that this is probably easier to use and more insidious than his earlier example.

    Good find!

  3. Downloading on safari for mac gives me two copies of the flash update, automatically downloaded to my download folder. Opening either of them shows the usual "downloaded from the internet", and giving the download site as

  4. Interesting, sounds pretty bad :-)

  5. Tested this too on latest version of Safari and Lion. Downloads twice automatically when going to that webpage with no prompting! Very scary! Firefox on Mac behaves as per normal.

    Great findings! Im shocked that none of the providers have taken this seriously.

  6. Safari comes up with twin copies of the update when downloading for Mac. Its always the usual download from internet message that pops up.

    Benzoyl Peroxide

  7. I remember looking at it when Michal published this post, kinda late comment

    @Max Short: you're right, that it's from Opera 11, because that's when they've switched from using OS dialogs (in this case MS's) to their own ones, but iirc in Opera 10.x there probably wouldn't even be that "weak cue".

    Regarding that "weak cue", Michal is right, cause I don't think there would be any problem with providing it from typosquatting domain like, or anything like that

  8. Dafuq. It still works on Firefox 19.0 and Chrome 25.0.1364.84 beta running on a Mac. Is it about time to scream louder?