Closed Bug 1036924 Opened 6 years ago Closed 5 years ago

FindMyDevice back-end should not enable CORS

Categories

(Firefox OS Graveyard :: FindMyDevice, defect)

defect
Not set

Tracking

(firefox-esr31 unaffected)

RESOLVED FIXED
Tracking Status
firefox-esr31 --- unaffected

People

(Reporter: freddyb, Unassigned)

References

Details

(Keywords: sec-high)

I am assuming this might be a leftover from testing. The FindMyDevice app has the systemXHR permission, so it does not need CORS to work with the backend.

But leaving CORS open (and with-credentials set to true) makes it open to attacks from other domains. Imagine this:

User is logged in to wheresmyfox in a browser tab. The user opens an evil web page in another tab (or the same, without logging out).
evil.com may now send XHR requests to wheresmyfox and the browser will automatically augment these requests with the correct credentials.
Knowing the API, the attacker may now control the phone, i.e. lock the device with a key of her choosing or wipe the phone completely.


Let's discuss why CORS was needed (in case it wasn't just debugging) and see how we can get around that.
(In reply to Frederik Braun [:freddyb] from comment #0)
> Let's discuss why CORS was needed (in case it wasn't just debugging) and see
> how we can get around that.

This seems like a very serious issue. Do we have conclusion yet? Thanks.
This only applies to fmd.stage.mozaws.net and fmd.dev.mozaws.net.

I am concerned that this behavior might at some point be replicated to find.firefox.com to which this bug does'nt (yet?) apply.
Neither of these boxes are for production users, nor do they link to production user data. 

fmd.stage is an integration development box to be used between teams (this will probably be renamed to "fmd.stable" shortly.)
fmd.dev is a central team development box.

I have commented out the CORS headers from the nginx configuration files for now.
Freddy, from the sounds of comment 3, it appears that the issue has been addressed. Would you agree that we can mark this fixed, or do you have other concerns?
Flags: needinfo?(fbraun)
I can confirm that neither of those HTTPS endpoints enables CORS:
> https://find.firefox.com
> https://fmd.stage.mozaws.net
> https://fmd.dev.mozaws.net
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Flags: needinfo?(fbraun)
Group: b2g-core-security → core-security
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.