Brave Software: links the user may download can be a malicious files

ID H1:182557
Type hackerone
Reporter seifelsallamy
Modified 2017-08-10T05:10:18




This vulnerability is pretty simple and pretty dangerous at the same time

Almost any link the user tries to download it's extension is set according to the file extension in the path if the path is / then it download's it according to the domain name
Eg: [1] if the user downloaded the link the file type would be .php that's not very dangerous though

[2] if the user downloaded the link the file type would be .exe Okey that's dangerous but it requires a lot of social engineering

[3] if the user downloaded the link the file type would be .com this requires less social engineering and it's pretty dangerous why? because .com files are executable files which may can do what .exe can do here's links about .com files and the difference between .exe and .com

there's a new many domain names which may can create malicious extensions like .com as example which can create a python file

any website can make his favorable extension in the domain path and when the user downloads it it will be downloaded by the extension as example

Products affected:

windows 10 x64 brave latest version

Steps To Reproduce:

there is 3 ways to reproduce [1] execute this html <a href="" download></a> right click on the link > Save Link as... > Save [2] go to right click > Save Page as... > Save [3] execute this html and directly click the link it will download directly <a href="" download></a>

Note :

The none exist pages can't be downloaded

Any link the users tries to download must be .htm or .html

Supporting Material/References: