evilXHR is the name we gave a vulnerability we found in some versions
of the Mozilla Firefox browser. It allows a local HTML file, i.e., one that you have
saved in some directory on your computer or mobile device, to steal all files you
have stored in the same directory. (For further technical details, see our Security Advisory.)
Test whether your Firefox browser is vulnerable
We provide a test HTML file,
evilXHR.html, that attempts to copy the files
stored in the same directory as
evilXHR.html and to send the copies to our server,
where you can inspect them (if the data theft was successful).
To check whether your Mozilla Firefox browser is vulnerable to
follow these simple steps:
- Create an empty test directory somewhere in your file system.
(e.g., as a subdirectory of your
- Copy up to 3 test files to the test directory.
Please mind the following restrictions:
(These restrictions have nothing to do with the
- Do not put any files containing sensitive or confidential data.
(We don't want your bank statements on our server!)
- Do not put any
- Do not put files containing
(i.e., binary files — e.g., PDFs or images — that contain
will also be rejected).
- Do not put files larger than 3 MB.
- Do not put more than 3 test files.
they are imposed to protect our server.)
- Download the file
evilXHR.html to the newly created test directory.
evilXHR.html with your Mozilla Firefox browser.
- You will see a warning stating that the file
"copyright protected" and you will be prompted to open it in "read-only mode".
(This is bogus, of course — it just demonstrates how the attack can be rendered more
realistic from a social engineering perspective.)
- Follow the instruction to click on the corresponding link
in the directory index displayed below.
This will actually initiate the data theft attempt.
- You will be provided a link to the location on our server where your test files were
uploaded — if the data theft was successful. You can view or download your test files
in the next 2 to 3 minutes before they are deleted. (Note: No files will be deleted
on your computer or mobile device; only the stolen copies will be removed from the server
in order to free disk space and for security reasons.)
If your Mozilla Firefox browser is vulnerable to
follow these simple precautions:
- If you need to store and open HTML files locally, save them in a directory
where there is no personal and/or confidential data.
- Do not use the directory index of the browser for navigation.
Open local HTML files directly in the browser.
- Update Mozilla Firefox to the latest version and check
whether it is still vulnerable.
Dr. Vladimir Bostanov, SySS GmbH