EXTREME weirdness - applet writing without permissions

Stefan Reich stefan.reich.maker.of.eye at googlemail.com
Mon Mar 17 16:29:12 UTC 2014

Hi folks,

here is something really really weird. I have this applet:

with this source code (you can verify!):

<applet id="theapplet" code="net.luaos.tb.tb16.ComputerChatApplet.class"
width="100%" height="300" alt="Java Applet" archive="magic.jar?3195969">
  <!--<param name="permissions" value="all-permissions" />-->

Clearly, all-permissions is just a comment. I also get no security dialog
or anything, so it's a SANDBOXED applet.

However, I can clearly see it accessing my disk. I enter "hello" in the
chat field, and instantly, a file in ~/.tinybrain is created on my

By an untrusted applet.

How's it possible?

Process dump:

stefan     746 32001  0 17:22 ?        00:00:00
/usr/lib/jvm/java-7-openjdk-i386/jre/lib/i386/IcedTeaPlugin.so -greomni
/usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir
/usr/lib/firefox/browser 32001 true plugin
stefan     754   746  1 17:22 ?        00:00:04
-classpath /usr/lib/jvm/java-7-openjdk-i386/lib/rt.jar

Note: I also use signed applets, using the same .jar, on other pages. Maybe
that slips through to this applet? But still, it's totally out of spec that
this applet can write stuff to disk, or is it?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140317/93aed7b8/attachment-0001.html>

More information about the distro-pkg-dev mailing list