Skip to content

Browser-Only Ransomware From LLM Hallucinations to a Practic...#2452

Open
carlospolop wants to merge 1 commit into
masterfrom
update_Browser-Only_Ransomware_From_LLM_Hallucinations__c27c4ea4d9bb392c
Open

Browser-Only Ransomware From LLM Hallucinations to a Practic...#2452
carlospolop wants to merge 1 commit into
masterfrom
update_Browser-Only_Ransomware_From_LLM_Hallucinations__c27c4ea4d9bb392c

Conversation

@carlospolop

Copy link
Copy Markdown
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

Check Point Research describes a practical browser-only ransomware technique derived from an AI-generated, partially hallucinated malware sample. The key issue is not a CVE, memory corruption bug, sandbox escape, APK, native executable, root exploit, or OS persistence mechanism. Instead, the attack abuses a legitimate browser capability: the File System Access API, especially showOpenFilePicker() and showDirectoryPicker(), combined w...

🔧 Technical Details

Abusing File System Access API for browser-native ransomware: A malicious website can use legitimate browser APIs such as showOpenFilePicker() and showDirectoryPicker() to request user-approved access to local files or directories. Once the victim grants access, the page can recursively traverse the selected directory, obtain file handles, read file bytes, optionally upload them to a backend, encrypt or otherwise transform them in JavaScript, and write the modified content back to the original files. This creates ransomware-like impact without a native executable, APK installation, browser exploit, sandbox escape, or root access.


Social-engineering write access through a plausible application flow: The technique becomes practical when the permission request matches the user’s expectations. A fake AI upscaler, photo enhancer, avatar editor, or creative tool can first ask for an input image and then ask the user to...

🤖 Agent Actions

Continuation complete and still stable.

Current status:

  • Only one file is modified:
    • src/pentesting-web/web-vulnerabilities-methodology.md
  • The inserted content still captures the key non-duplicative techniques:
    • picker-based File System Access abuse
    • recursive traversal / read / exfil / overwrite primitives
    • social-engineering of folder write access
    • Chromium-only scope including Android/WebView support
    • sandbox-boundary clarification
  • References remain correctly placed at the end of the file.
  • No additional changes are warranted from the current context.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop

Copy link
Copy Markdown
Collaborator Author

🔗 Additional Context

Original Blog Post: https://research.checkpoint.com/2026/browser-only-ransomware-from-llm-hallucinations-to-a-practical-attack-technique

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web / Browser API Abuse or Phishing Methodology / Browser File System Access API abuse".

Repository Maintenance:

  • MD Files Formatting: 981 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant