549459 - Permission denied exception string way too descriptive

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect, P1)

Description

[Attila Magyar]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Gecko/20100215 Ubuntu/9.04 (jaunty) Shiretoko/3.5.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

Exception string: "Permission denied for <http://mysite.com> to call method Location.toString on <http://example.com>." The second domain name should not be part the exception text as it may leak information for a possible attacker. When a script is not permitted to read the location property of a window object, the exception should not leak partial information from that property.


Reproducible: Always

Steps to Reproduce:
1. Open a new window: 
var wnd = window.open();
2. Use setInterval() to frequently read wnd.location.href. If any exception occurs, catch it, convert it to string, and extract domain names from it.
Actual Results:  
The above described method allows a site to keep track of which (external) domains does the user visit in newly opened windows or tabs. Combining this with some social engineering (e.g. make the user allow popup windows) and catching keyboard events (e.g. CTRL+T) can lead to unwanted spying on visitors of a website.

Expected Results:  
The "Permission denied" exception should not contain information about the external URL.

The proof of concept demo has been tested with FF 3.5.8 on Ubuntu 9.04 and with FF 3.6 on Windows XP (SP2).

Comment 1

[Blake Kaplan (:mrbkap) (inactive)]

Interesting. This brings back memories of bug 363897. I wonder if we can set up some sort of secret handshake between caps and the error console without leaking the two origins in the message of the actual exception object (since that's the reason that we have the origins in there in the first place).

Comment 2

[Daniel Veditz [:dveditz]]

Attachment: reporter's testcase

Comment 3

[Boris Zbarsky [:bzbarsky]]

We could stick the "real" error text into a property that untrusted script can't get and revert the default error text to what it used to be before I tried to make jjbarton's life easier...

Or we could just revert that fix, period.  Probably much simpler.

Comment 6

[Paul Stone]

Used in combination with the trick in bug 469939, this is not just a privacy bug. It can also be used to target phising attacks at users.

Comment 7

[Johnny Stenback (:jst)]

I think we should attempt to fix this for 1.9.3.

Comment 8

[Attila Magyar]

FYI there is public information on this kind of attack out there, today I found this article in my Google Reader:

http://pet-portal.eu/?page=blog&topic=pet&view=2010_06_14_Rovid_hir_egy_erdekessegrol_az_XSUH (hungarian)

which is written about the following paper: http://soroush.secproject.com/downloadable/XSUH_FF_1.pdf - this contains a similar method to steal whole URLs or just the domain part when it's not possible.

Btw. am I allowed to publish detailed information about this bug on my (rarely updated and even more rarely visited) blog in the near future?

Comment 10

[Daniel Veditz [:dveditz]]

Given the XSUH paper I don't see why you couldn't blog about this. Maybe we should unhide the bug to avoid future duplicates.

Comment 12

[Boris Zbarsky [:bzbarsky]]

OK.  I'm going to fix this by effectively disabling the fixes for bug 434522 and bug 495176 until such a time as we can report different information to the UI and to the web page.

Comment 13

[Boris Zbarsky [:bzbarsky]]

Though it looks like with the proxies+wrappers we basically never get into this code anyway... so those bugs were already backed out for the most part (yay lack of regression testing).

Comment 14

[Boris Zbarsky [:bzbarsky]]

Attachment: Don't show information about the object principal in the error string.

Comment 15

[Boris Zbarsky [:bzbarsky]]

Pushed http://hg.mozilla.org/mozilla-central/rev/7dbd04a58fa0

Comment 16

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 499420 [details] [diff] [review]
Don't show information about the object principal in the error string.

This applies as-is to both branches.

Comment 17

[LegNeato]

Comment on attachment 499420 [details] [diff] [review]
Don't show information about the object principal in the error string.

a=LegNeato for 1.9.2.14 and 1.9.1.17

Comment 18

[Boris Zbarsky [:bzbarsky]]

Pushed:
  http://hg.mozilla.org/releases/mozilla-1.9.2/rev/4de0968e31a1
  http://hg.mozilla.org/releases/mozilla-1.9.1/rev/cb4fb4d7e086

Comment 19

[bhearsum@mozilla.com (:bhearsum)]

This caused permanent orange in mochitest on all platforms on 1.9.2: 107291 ERROR TEST-UNEXPECTED-FAIL | /tests/modules/plugin/test/test_pluginstream_newstream.html | exception Permission denied for <http://localhost:8888> to get property HTMLDocument.body thrown

Comment 20

[Boris Zbarsky [:bzbarsky]]

Yeah, that test is bogus....  I pushed http://hg.mozilla.org/releases/mozilla-1.9.2/rev/6697a04d3f87 to fix the bogosity (which is just an exact copy of the changeset that fixed said bogosity on trunk back when compartments landed).

Comment 21

[Boris Zbarsky [:bzbarsky]]

And then http://hg.mozilla.org/releases/mozilla-1.9.2/rev/7f6049187692 because the message format from the security manager isn't the same as what the security wrappers produce.  Why the wrappers decided to use different strings, I have no idea.  :(

Comment 22

[Al Billings [:abillings - ex-MoCo]]

Verified fixed in 1.9.2 using attached testcase with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14pre) Gecko/20110103 Namoroka/3.6.14pre. Verified bad behavior in 1.9.2.13. 

Verified for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.17pre) Gecko/20110106 Shiretoko/3.5.17pre and verified bad behavior in 1.9.1.16.