This might be paranoid, but if I go to a malicious website, can they tell what is inside a PDF on my desktop or what is inside my images on my hard drive?
I have a Chromebook and a Windows machine.
-
Should this be specified to a specific browser? I'd imagine not all browsers are equally secure in this respect? IE Flash was a huge vulnerability for stuff like this, wasn't it? If it's not specific to a browser, maybe it should be limited to a certain version of a given HTML spec or whatever.– TankorSmashCommented Oct 15, 2018 at 2:36
-
1Taking into account Spectre - possibly.– Stack Exchange Supports IsraelCommented Oct 16, 2018 at 4:14
-
13this might be more suitable on Information Security– phuclvCommented Oct 16, 2018 at 9:15
-
1It is a possibility, but it is so minor that this is not what you should be concerned about. You should be concerned about what other information stored in your web browser which the website can access. Cookies can store very vulnerable personal information about you which such sites can fish up.– mathreadlerCommented Oct 16, 2018 at 17:41
-
1If you want to be extra paranoid, run your browser inside a barebones linux virtual machine– Richie FrameCommented Oct 16, 2018 at 23:39
|
Show 1 more comment
5 Answers
Unless you explicitly grant a website—which is secure (HTTPS) or insecure (HTTP)—access to an item on your system that website will not have access to that item on your system.
This might be paranoid, but if I go to a website that might not be 100% secure, can they tell what is inside my hard drive desktop's PDF or what is inside my images on my hard drive?
In general, unless you explicitly give them access to your hard drive—or documents on your hard drive—then no, an insecure website won’t be able to access anything.
That said (and emphasizing this to make it clear) there are indeed some incredibly rare—and esoteric—“zero-day” exploits that might be of concern in some edge cases. But in general, you—as an end user—need to go out of your way to allow a website to gain access to documents on your system. As long as your OS is patched and browsers are up to date you are safe. And even in cases where you are not patched and upgraded (and again emphasizing this to make it clear) the risk is still incredibly low.
The only concern with a website that “might not be 100% secure” (as the original question stated and I am assuming HTTPS versus plain HTTP) is that when you transmit data back and forth HTTPS is encrypted and HTTP is not encrypted.
The risk then is if you type something into the site via a form and such, if the site is plain HTTP then the data you are transmitting is just clear text that anyone with a packet sniffer has the potential to read. But that is a slim chance at best.
Like if you are on a known public Wi-Fi network then maybe someone is on that network with you and potentially capturing packets and thus could detect what you are typing.
In general if you are on a secure network at home or elsewhere—and your browser and OS are patched—you are “safe.”
An “insecure” website only really is a concern if you send data to them or you download an item from said website that will run code on your system.
answered Oct 14, 2018 at 23:58
By design browsers do not allow this but there is always the possibility of a bug that can be exploited to gain a higher level of access to your system. These bugs are fairly rare and always fixed very quickly so this is mainly an issue if your OS or browser is out of date. Both of these auto update now so just don't disable auto updates and you can be sure of a fairly good level of protection against malicious websites.
-
8Worth noting that such a zero day is worth hundreds of thousands to the right people, so chances are unless you're really interesting it won't be used against you. Commented Oct 16, 2018 at 13:09
-
1@Adonalsium - You just need a credit card to be interesting to all the ... right ... people.– PaulCommented Oct 16, 2018 at 14:19
-
5@Paul If someone purchased a six-figures zero-day to steal some credit cards, that'd be a little sad. You'd have to steal thousands before you could even come close to making your money back, and that's if you trigger every single red flag and burn it on one attack. In contrast, a hundred thousand to steal state or corporate secrets... that's much more likely.– anonCommented Oct 16, 2018 at 17:03
-
1@Adonalsium for a zero day yes but exploits on old versions is free public knowledge. And there are still a fair few people running old versions of IE or silverlight.– QwertieCommented Oct 16, 2018 at 23:31
-
3@Paul Sure, it's easy: They were stolen through exploits that wouldn't cost hundreds of thousands of dollars to buy, and have a much higher guaranteed return than a browser flaw for credit card theft. Things like social engineering and hacked webstore databases can compromise a credit card, too. If you'll kindly read my actual comment, I never said that credit card theft doesn't happen -- which is how you read it -- but that a powerful browser zero-day won't be burnt on some rando's credit card.– anonCommented Oct 17, 2018 at 15:51
A remote computer can't access anything on your computer without the aid of co-operating software on your computer.
In the case of you using your computer to visit an untrusted website, you are using browser software on your computer to initiate web requests (the HTTP or HTTPS protocol) to receive data from the remote computer. In this simple model, the remote computer has absolutely no access to your computer, but... browsers have some features which complicate this picture.
Modern browsers have a feature which allows you to upload files from your computer. A website may include a form which makes use of this feature. This feature does not give the website a view into your computer. When your browser processes such a form, it presents you with a file selection control; your browser can see the files on your computer, and when you make a selection, your browser sends the contents of that file, and only that file to the remote system. The way this feature works leads some people to believe that the website can see files on your computer when it actually cannot.
All modern browsers have JavaScript engines built into them. The website may include JavaScript code which is intended to be executed by your browser. When the browser receives JavaScript in a page, it will typically execute it automatically. JavaScript is normally used to enhance the user experience; it has certain capabilities and some limitations. The JavaScript engine can't "see" into your computer - can't see your files or what may be going on in other programs, but it can direct the browser to load other files from the same site - images, pages, etc.. JavaScript could make the browser at least attempt to download and execute a program which may have greater access to or control over your system. While JavaScript itself is limited in what it can do on your computer, it is nevertheless possible for a malicious programmer to make use of JavaScript to trick an unsuspecting user into downloading a more capable and malicious program.
TL;DR: An untrusted website cannot by itself see into your computer. But, a site can try to trick you into downloading and executing malicious software. Such software could potentially do anything on your computer. Your browser should not automatically download such software; at the very least, it should require your explicit acceptance. A malicious website could, however, try to trick you into giving such acceptance.
-
1
-
12+1 This should be the accepted answer. If the site is not trustworthy, there is no difference between HTTP and HTTPS. It is JavaScript and the browser's security mechanisms that matter. Commented Oct 15, 2018 at 4:56
-
3
-
@val - I'd expand that to all operating systems, to be fair. If you spend time, you'll find the holes.– PaulCommented Oct 17, 2018 at 8:28
In theory no, in practice: Yes, that's certainly possible.
This is the reason why savy users have browser extensions that disable scripting at all times except for explicitly whitelisted websites which require them, and which thwart many other attacks such as cross-site request forgery and whatnot.
Exploits which allow remote code execution or allow accessing local files are published almost every month. Two recent examples for one well-known browser are 1 and 2. Examples for another well-known browser are 3 and 4.
(The above are random vulnerabilities which I picked with no obvious reason in mind, also they're meanwhile all fixed with the newest versions, to my knowledge.)
Browser attacks can not only allow a website to access files, they can in principle allow the website to take over your computer altogether, in the worst case. The issue is not limited to browsers, see WhatsApp video call vulnerability for a recent example. There was an exploit in a particular widely-deployed series of DSL routers a year or so ago which would allow a malicious website to take over your router even in presence of a password, if only you visited the website from your computer.
The level of stupidity necessary for an attack to be successful varies. For some attacks, the end user must be really, really stupid. For some attacks, the user must be only somewhat unaware for a split second. And some attacks will work even without the user doing anything stupid at all as long as some particular conditions are met.
In general a website can not access files on your hard drive or their meta information. Nevertheless you should be aware of a couple of things:
- there might be security flaws in your browser, that lets attackers hijack your browser or even your system
- depending on your browser, malicious websites can learn quite much about you and the computer you're using.For a little overview look here: http://webkay.robinlinus.com/
- the best way to keep your files secure, is to keep them away from the internet. Store your files on a external drive and only access them through offline computers. This might be inconvenient but secure
