Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

In the land of Windows, the usage of %ENV_VAR% can be used to reference environmental variables. Commonly, this is used within CMD as developers.

When saving a file, the name of the saved file can be returned. This is expected and useful functionality within the web. However, saving a file with the name as an environmental variable had some weird functionality.

In particular, if a file was saved with an environmental variable name, such as %username%, it would return the value of the environmental variable! It is common for developers to store secret information, such as AWS_SECRET_ACCESS_KEY, Github secrets and many other things. As a result, this attack could be used to steal sensitive information from a device.

How would you get a user to save a file with an environmental variable as a name? Using the window.showSaveFilePicker function, a malicious website can specify the suggstedName field for the file.

But, would a user save a file with this name? The attack that the author came up with is super cool! They make a site that says "Hold Enter For 2 Seconds". While holding enter the Save File screen comes up, which will auto focus onto Save File screen. Now, the save button will be triggered, with only a flash on the screen.

This bug is only applicable on Windows but effects Chrome, Edge and Opera. Although the usage of the ENV variable in the file name does not seem like a big deal, the attack method of the auto focus made this feasible. I would bet this could be used somewhere else in the future for similar attacks that require user interaction