Filed it as a security bug with Chrome. Not expecting to get any bounty out of it, but there's a better chance the security team will appreciate how dangerous this is.
Show this thread
So yeah, um, this is not okay. It is not discoverable and could easily leak sensitive information. Auth credentials even, seriously? Also Chrome does this too. And it is preserved across `mv` to another filesystem.https://twitter.com/gynvael/status/1077671412847046657 …
TIL from @q3k and @marcan42: wget saves downloaded file's source URL (and sometimes referrer) in extended attributes.
This includes the cases where the URL has a user/password in it 
$ getfattr -d -m - test
user.xdg.origin.url="https://user:passwd@gynvael.coldwind.pl/"
$ getfattr -d -m - test
user.xdg.origin.url="https://user:passwd@gynvael.coldwind.pl/"-
-
-
That was fast! Wget 1.20.1 was just released with this behavior disabled by default, and made safer when enabled. We also have a CVE for it too, CVE-2018-20483. Thanks
@ruehsen!Show this thread
End of conversation
New conversation -
-
-
It’s useful for enforcing admin policy though. Is this worse than Windows zone identifiers?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
not that having a password in the URL would be a good security design anyway
-
This is how HTTP Basic authentication works. It's part of the HTTP URI standard. And wget is smart enough to hide the password when showing its messages on stderr, but then goes ahead and dumps it in the xattr verbatim.
- Show replies
New conversation -
-
-
@ruehsen This might be of some interest. -
Thank you for the info. That's a indeed a relative new feature. I'll discuss that with the other maintainers. At least it should be off by default.
- Show replies
New conversation -
-
-
wait that means dropbox is full of shit about xattr the other thing is also not great
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
That's half nice, half scary...
-
My initial reaction quickly went from "cute" to "this is going to bite me in the ass so hard some day" to "this has already bitten me in the ass" followed by changing a password.
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.