Re: About Security of File System Access API

[Thomas Steiner]

[Removing security@ and adding security-dev@.]

On Sat, Feb 26, 2022 at 11:02 PM Harun Oz <hoz...@fiu.edu> wrote:

Hi Tom, Thank you for your reply. We are very happy to hear that you are aware of this. As noted in the links of the API, this has been intended as a nice warning to the users. We wanted to take this to the next level; hence, we reached out to you. As we have analyzed this threat extensively with 3 different OSes, 23 file formats, 29 directories, 5 cloud providers, 4 a/v solutions, we see (and wanted to highlight) that such ransomware is effective in encrypting numerous file types that can have users' sensitive information not only in the users’ systems also in external storage locations. As we detailed in our previous email below, this would be a powerful ransomware that also can affect cloud solutions (e.g., Dropbox, Google Drive, Microsoft OneDrive, Apple iCloud, and Box) and that can evade anti-virus solutions. The extent and details of these may not be fully known by the community yet. Moreover, existing ransomware detection solutions cannot be a remedy against this type of ransomware due to its distinct features. Given the increasing nature of ransomware attacks in the world (daily!), our goal in this email was simply and kindly to inform you, to share our findings with the community, and not to seek anything else (e.g., bug bounty prize). The findings could be also added to the documentation for further awareness and comprehensiveness. As savvy-and-responsible researchers :), we also designed a lightweight solution for this ransomware, but that is a separate discussion :) Anyway, if you need further information or would like to talk about it further, you can let us know. And, thanks for all your valuable community efforts! Have a great one!

Harun Oz
Graduate Research Assistant
PhD Computer Engineering Student, Florida International University
Cyber-Physical Systems Security Lab
10555 W Flagler St, Miami, FL 33174

Group Web: http://csl.fiu.edu/

E-mail: hoz...@fiu.edu

On Feb 17, 2022, at 11:15 AM, Thomas Steiner <to...@google.com> wrote:

Hi Harun, all,

Thanks for your email. These attacks have been acknowledged by the spec for malware and ransomware; and malware specifically was discussed a couple of times in the Issues. I let @Marijn Kruisselbrink chime in, who may have additional background.

Cheers,

Tom

On Thu, Feb 17, 2022 at 3:49 PM Harun Oz <hoz...@fiu.edu> wrote:

Dear Chrome Developers, 

We hope this e-mail finds you well. We are security researchers and we have been working on the File System Access (FSA) API for some time. We first thank you all very much for your hard work for developing and maintaining this great API. In this email, we would like to share our findings related to the security of this API and discuss our findings on the pertinent issues.  

Even though the FSA API can be used to develop powerful web applications, it can extend the attack surface of web applications. We found that it can be abused by adversaries to develop a novel ransomware strain. As also briefly discussed in the security model of the API [1],  such an attack would effortlessly be performed by an adversary who designs a seemingly benign web application and uses malicious tactics (i.e., phishing, malvertisement) to trick the user to grant access to their sensitive portions of the local file system. Afterwards, the malicious application can encrypt the files and overwrite the original files with their encrypted versions and demand a ransom payment. As of now, we have found no evidence of any abuse of the FSA API in the wild, nor have we encountered any literature presenting it as a possible attack vector that the adversaries can utilize to perform browser-based ransomware attacks.

Having said this, we have developed a proof-of-concept browser-based ransomware to analyze the impact of this new type of ransomware strain. Our extensive analysis with 3 different OSs, 23 file formats, 29 distinct directories, 5 cloud providers, and 4 antivirus solutions show that such a ransomware is capable of encrypting numerous types of files that can possess users' sensitive information. In addition, although the security model of the FSA API restricts access to some of the critical system directories (e.g., file system root, user's home, operating system), our experiments reveal that it can encrypt files in user directories, data partitions (i.e., D:/), external storage devices such external HDD and flash drives, shared network volumes, and cloud-integrated directories. Furthermore, we have found that while cloud providers such as Dropbox, Google Drive, and Microsoft OneDrive have file versioning features that store multiple versions of a file for backup purposes,  popular cloud solutions such as Apple iCloud and Box Individual can be severely affected by browser-based ransomware as they do not implement this feature. Therefore, browser-based ransomware’s effect is permanent on the files that are stored in Apple iCloud and Box Individual which can pose a severe security risk as these platforms have millions of users. Also, it goes without saying, if versioning does not work on cloud-providers (i.e., Dropbox, Google Drive, and Microsoft OneDrive) with versioning features, they are also severely impacted. Furthermore, we have analyzed the effectiveness of existing ransomware defense solutions and full versions of several Antivirus softwares against this new type of ransomware and we have found that they fall short of detecting it due to its distinct features such as not requiring installation, running on the browser and so on. Thus, we were also interested in providing a solution and also implemented a lightweight defense solution. 

Again, we thank you for your hardwork in your developing efforts. This is for sure a great community effort. With this email, we kindly wanted to bring these issues to your attention before they are exploited by adversaries.  Please let us know if you need more details about these issues. We also would like you to let you know about our defense solution and discuss the possible integration of this solution to the FSA API or Chromium. Also, we are in the process of reporting this to other software vendors (e.g., antivirus softwares, cloud products ) that are not aware of the presence of this kind of new type of ransomware attack. 

[1] https://docs.google.com/document/d/1NJFd-EWdUlQ7wVzjqcgXewqC5nzv_qII4OvlDtK6SE8/edit#heading=h.7nki9mck5t64

Thank you very much.

Harun Oz
Graduate Research Assistant
PhD Computer Engineering Student, Florida International University
Cyber-Physical Systems Security Lab
10555 W Flagler St, Miami, FL 33174

Group Web: http://csl.fiu.edu/

E-mail: hoz...@fiu.edu

--

Thomas Steiner, PhD—Developer Advocate (https://blog.tomayac.com, https://twitter.com/tomayac)

Google Germany GmbH, ABC-Str. 19, 20354 Hamburg, Germany
Geschäftsführer: Paul Manicle, Liana Sebastian
Registergericht und -nummer: Hamburg, HRB 86891

----- BEGIN PGP SIGNATURE -----

Version: GnuPG v2.3.4 (GNU/Linux)

iFy0uwAntT0bE3xtRa5AfeCheCkthAtTh3reSabiGbl0ck0fjumBl3DCharaCTersAttH3b0ttom.hTtPs://xKcd.cOm/1181/

----- END PGP SIGNATURE -----

--

Thomas Steiner, PhD—Developer Advocate (https://blog.tomayac.com, https://twitter.com/tomayac)

Google Germany GmbH, ABC-Str. 19, 20354 Hamburg, Germany
Geschäftsführer: Paul Manicle, Liana Sebastian
Registergericht und -nummer: Hamburg, HRB 86891

----- BEGIN PGP SIGNATURE -----

Version: GnuPG v2.3.4 (GNU/Linux)

iFy0uwAntT0bE3xtRa5AfeCheCkthAtTh3reSabiGbl0ck0fjumBl3DCharaCTersAttH3b0ttom.hTtPs://xKcd.cOm/1181/

----- END PGP SIGNATURE -----

[Güliz Seray Tuncay]

Hi Thomas,

I am Güliz from the Android Security and Privacy team at Google. I am also involved in this research project. 

We thought the explanation in the ransomware link is currently a bit weak and wanted to contribute to enhancing that as we gained a lot of understanding about this type of ransomware in our work. Also, we have developed a defense solution and we are open to sharing it with you.

Let us know what you think.

Best,

Güliz

[Thomas Steiner]

(Sorry, I was OoO for almost two weeks.) I really think the spec editor @Marijn Kruisselbrink is your best contact both for improving the spec text as well as the mitigation you mentioned. 

Thomas Steiner, PhD—Developer Relations Engineer (https://blog.tomayac.com, https://twitter.com/tomayac)

[Harun Oz]

Dear Marjin,

I hope this email finds you well. Thomas Steiner provided your email address to talk about File System Access API.  We are security researchers and we have been working on the File System Access (FSA) API for some time. We first thank you all very much for your hard work for developing and maintaining this great API. In this email, we would like to share our findings related to the security of this API and discuss our findings on the pertinent issues.  

As briefly mentioned in the documentation, the FSA API can be abused by attackers to develop browser-based ransomware.  We wanted to take this to the next level; hence, we reached out to you. As we have analyzed this threat extensively with 3 different OSes, 23 file formats, 29 directories, 5 cloud providers, 4 antivirus solutions, we see (and wanted to highlight) that such ransomware is effective in encrypting numerous file types that can have users' sensitive information not only in the users’ systems also in external storage locations and shared network folders. As we detailed in our previous email below, this would be a powerful ransomware that also can affect cloud solutions (e.g., Dropbox, Google Drive, Microsoft OneDrive, Apple iCloud, and Box) and that can evade antivirus solutions. The extent and details of these may not be fully known by the community yet. Moreover, existing ransomware detection solutions cannot be a remedy against this type of ransomware due to its distinct features. 

Given the increasing nature of ransomware attacks in the world (daily!), our goal in this email was simply and kindly to inform you, and share our findings with the community We would be happy to collaborate with you on adding our findings to the documentation to raise awareness on these issues and improve the docmentation’s comprehensiveness. As savvy-and-responsible researchers :), we also designed a lightweight solution for this ransomware, we can discuss that as well if you are interested :)  

   

If you need further information or would like to talk about it further, please  let us know. Thanks for all your valuable community effort! 

Have a great one! 

Harun Oz

Graduate Research Assistant
PhD Computer Engineering Student, Florida International University
Cyber-Physical Systems Security Lab
10555 W Flagler St, Miami, FL 33174

Group Web: http://csl.fiu.edu/

E-mail: hoz...@fiu.edu