Closed
Bug 1036924
Opened 10 years ago
Closed 10 years ago
FindMyDevice back-end should not enable CORS
Categories
(Firefox OS Graveyard :: FindMyDevice, defect)
Firefox OS Graveyard
FindMyDevice
Tracking
(firefox-esr31 unaffected)
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox-esr31 | --- | unaffected |
People
(Reporter: freddy, Unassigned)
References
Details
(Keywords: sec-high)
I am assuming this might be a leftover from testing. The FindMyDevice app has the systemXHR permission, so it does not need CORS to work with the backend.
But leaving CORS open (and with-credentials set to true) makes it open to attacks from other domains. Imagine this:
User is logged in to wheresmyfox in a browser tab. The user opens an evil web page in another tab (or the same, without logging out).
evil.com may now send XHR requests to wheresmyfox and the browser will automatically augment these requests with the correct credentials.
Knowing the API, the attacker may now control the phone, i.e. lock the device with a key of her choosing or wipe the phone completely.
Let's discuss why CORS was needed (in case it wasn't just debugging) and see how we can get around that.
Comment 1•10 years ago
|
||
(In reply to Frederik Braun [:freddyb] from comment #0)
> Let's discuss why CORS was needed (in case it wasn't just debugging) and see
> how we can get around that.
This seems like a very serious issue. Do we have conclusion yet? Thanks.
Reporter | ||
Comment 2•10 years ago
|
||
This only applies to fmd.stage.mozaws.net and fmd.dev.mozaws.net.
I am concerned that this behavior might at some point be replicated to find.firefox.com to which this bug does'nt (yet?) apply.
Comment 3•10 years ago
|
||
Neither of these boxes are for production users, nor do they link to production user data.
fmd.stage is an integration development box to be used between teams (this will probably be renamed to "fmd.stable" shortly.)
fmd.dev is a central team development box.
I have commented out the CORS headers from the nginx configuration files for now.
Comment 4•10 years ago
|
||
Freddy, from the sounds of comment 3, it appears that the issue has been addressed. Would you agree that we can mark this fixed, or do you have other concerns?
Flags: needinfo?(fbraun)
Reporter | ||
Comment 5•10 years ago
|
||
I can confirm that neither of those HTTPS endpoints enables CORS:
> https://find.firefox.com
> https://fmd.stage.mozaws.net
> https://fmd.dev.mozaws.net
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Updated•10 years ago
|
Flags: needinfo?(fbraun)
Updated•10 years ago
|
Group: b2g-core-security → core-security
Updated•10 years ago
|
status-firefox-esr31:
--- → unaffected
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•