GNU Wget is a free software package for retrieving files using HTTP, HTTPS, FTP
The flaw, tracked as CVE-2018-20483, could allow local users to obtain sensitive information (e.g., credentials contained in the URL) by reading the attributes.
The security researcher Gynvael Coldwind (@voltagex) discovered that the stored attributes can include user usernames and passwords.
The security researcher Hanno Böck highlighted that URLs can sometimes contain “secret tokens” used for external services like file hosting. The attributes could be accessed on any logged-in machine using the getfattr command.
“The URL of downloads gets stored via filesystem attributes on systems that support Unix extended attributes.” Böck wrote.
“You can see these attributes on Linux systems by running getfattr -d [filename] (The download URL is stored in a variable “user.xdg.origin.url”)”
“This also applies to Referer information in the user.xdg.referrer.
The issue has been privately reported to Chrome as well and will be fixed soon
The expert Hector Martin pointed out a threat actor wanting to steal stored URLs from can move it from the target’s hard drive to a USB key.
(SecurityAffairs – wget, hacking)