Firefox OS Find My Device ClickJacking Security Vulnerability

RESOLVED FIXED

Status

Cloud Services Graveyard
Find My Device
RESOLVED FIXED
4 years ago
a year ago

People

(Reporter: Mohamed A. Baset, Assigned: jrconlin)

Tracking

({csectype-dos, dataloss, sec-moderate})

unspecified
csectype-dos, dataloss, sec-moderate
Bug Flags:
sec-bounty +

Details

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
Created attachment 8523446 [details]
Firefox OS Find My Device ClickJacking Security Vulnerability

User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Build ID: 20141110195804

Steps to reproduce:

Hi Mozilla Security Team,

My name is Mohamed Abdelbaset Elnoby an Information Security Evangelist from Egypt, responsible for the "Samsung Find My 

Mobile" CSRF Security Vulnerability, here is some details about it:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8346
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8346
http://thehackernews.com/2014/10/samsung-find-my-mobile-flaw-allows.html
http://www.computerworld.com/article/2839240/zero-day-in-samsung-find-my-mobile-service-allows-attacker-to-remotely-

lock-phone.html
http://mashable.com/2014/10/28/hackers-samsung-find-my-mobile/
http://www.businessinsider.com/hackers-use-find-my-mobile-to-wipe-any-samsung-phone-2014-10
http://www.dailymail.co.uk/sciencetech/article-2812286/Samsung-flaw-lets-hackers-remotely-lock-devices-Bug-Mobile-service-

leaves-handsets-open-attack.html

Today I would like to report a Security Vulnerability in Firefox OS Find My Device feature, details as follow:

Vulnerability :
ClickJacking

Info:
https://www.owasp.org/index.php/Clickjacking

Affected URL(s):
https://find.firefox.com

Highlights on the Vulnerability:
Regardless The security protection mechanism which is that that attacker definitely can't guess or brute force the Device id 

"8fcXXXXc40de04b3803945XXXXXXXXXX" to make a successful clickjacking attack iframe, This protection mechanism is too low 

coz all the attacker to do is just to point the logged in user to his iframe source https://find.firefox.com and Mozilla will care about 

the other things "will redirect him to the correct logged in active device id.

What attacker can do:
-Erase the victim's device data with just only 3 clicks by the victim himself if he tricked with "click here to win a 50 BTC for 

Example"
- Lock The victim device or change his lock code if it is the first time to be set "4 clicks"
- Makes the Device ringing "2 clicks"

More Details About clickjacking:
Because of No Frame Busting Techniques or X-Frame-Options header, the whole website is vulnerable to Clickjacking attacks 

which could lead to a full account takeover considering such scenario:
1. Attacker will iframe any sensitive the website page and adjust the iframe size and add a "divs" as a layers on the unwanted-to-

show parts of the original web page to fool and trick the user.
2. User get tricked by the crafted page and followed the attacker's instruction to do a specific clicks to the iframed page
3. Unwanted actions happened in the logged in user's session in result to the attack's clicks.

Remedy:
1- Add an X-Frame-Options HTTP Header and set it's value to "Deny" or "Sameorigin" as you can see it suitable to mitigate such 

attacks
2- Use iframe busting techmiques in JS code like this:

<script type="text/javascript">
 if (self === top) {
 var antiClickjack = document.getElementById("antiClickjack");
 antiClickjack.parentNode.removeChild(antiClickjack);
 } else {
 top.location = 'Your_Website_URL_Here';
 }
</script>

or

<script type="text/javascript">
 // Disable frame hijacking 
 if (top != self) 
 top.location.href = location.href;
 </script>

References:
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

Waiting for your reply
Thanks


Actual results:

Find My Device web interface is iframable which makes it vulnerable to ClickJacking Attacks


Expected results:

Find My Device web interface mustn't be iframed Apply XFO or Frame Busting techniques:

<script type="text/javascript">
 if (self === top) {
 var antiClickjack = document.getElementById("antiClickjack");
 antiClickjack.parentNode.removeChild(antiClickjack);
 } else {
 top.location = 'Your_Website_URL_Here';
 }
</script>

or

<script type="text/javascript">
 // Disable frame hijacking 
 if (top != self) 
 top.location.href = location.href;
 </script>

References:
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
Flags: sec-bounty?
Comment hidden (off-topic)

Comment 2

3 years ago
dougt, who should own?
Comment hidden (off-topic)
I just verified this issue works as reported. 

Just to summarize the attack scenario above: 
- User must be currently logged into the find.firefox.com website
- User is coerced into visiting a malicious website, and then coerced to click 3 times

The impact is wiping the device. Potentially locking the phone could be an impact, but this requires setting a PIN so less likely attack vector (clicks alone don't work). 

Note that the user has to already be logged in. Even with a password manager which might allow clickjacking the login screen as well, the login sequence breaks when it is framed.

The simplest fix would be to set the x-frame-options header to DENY for this domain.

Yvan, Joe - any idea who owns this infrastructure? If you're not sure, just assign back to me and I'll chase for an owner.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(yboily)
Flags: needinfo?(jstevensen)

Comment 5

3 years ago
Paul,

I have no idea who owns it. I'll try to find the owner and get the fix you suggested implemented.
Flags: needinfo?(jstevensen)

Comment 6

3 years ago
Paul,

Cloud services owns this. Recommend assigning to Yvan.
Assignee: nobody → yboily
Flags: needinfo?(yboily)
Comment hidden (off-topic)
Comment hidden (off-topic)
Comment hidden (off-topic)
Keywords: csectype-dos, dataloss
Flags: needinfo?(telliott)
Assignee: yboily → jrconlin
Flags: needinfo?(telliott)
(Assignee)

Comment 10

3 years ago
This appears to be on the web
(Assignee)

Comment 11

3 years ago
Jeremy, can you add the list of recommended headers from 
https://www.owasp.org/index.php/List_of_useful_HTTP_headers
to the STAGE deployment servers of FMD? We will test and verify that there's no additional customer impact before rolling this change to PRODUCTION.
Flags: needinfo?(oremj)
We are running straight Go on the FMD servers, so we can either start fronting the services with nginx or add the headers to the app. Fronting the app with nginx would need more QA.

jr, do you have a preference?
Flags: needinfo?(oremj) → needinfo?(jrconlin)
(Assignee)

Comment 13

3 years ago
Wait, I know that we're running straight to go for / but for /static/* components (/bower*, /style/*, etc.) we shouldn't be using the "use_insecure_static" option. Those should be handled by something else like nginx. 

I'm adding a patch to the go code to handle the root paths, and see about confirming the source of the additional site files.
Flags: needinfo?(jrconlin)
(Reporter)

Comment 14

3 years ago
Hi,

You can add just insert JS code (in the vulnerable pages) to handle the framing problem, no need for the XFO headers (if that will break something in the compatibility integration with other services)

For example:

<script type="text/javascript">
 if (self === top) {
 var antiClickjack = document.getElementById("antiClickjack");
 antiClickjack.parentNode.removeChild(antiClickjack);
 } else {
 top.location = 'Your_Website_URL_Here';
 }
</script>

or

<script type="text/javascript">
 // Disable frame hijacking 
 if (top != self) 
 top.location.href = location.href;
 </script>

Thanks
(In reply to JR Conlin [:jrconlin,:jconlin] from comment #13)
> Wait, I know that we're running straight to go for / but for /static/*
> components (/bower*, /style/*, etc.) we shouldn't be using the
> "use_insecure_static" option. Those should be handled by something else like
> nginx. 
> 
> I'm adding a patch to the go code to handle the root paths, and see about
> confirming the source of the additional site files.

If we want them both to be on the same domain, it is all or nothing.  We'd have to host the static files with nginx and proxy /.
(Assignee)

Comment 16

3 years ago
Added headers to all outbound server responses:

https://github.com/mozilla-services/FindMyDevice/pull/327

also increased the STS delay per bug 1143977
(Reporter)

Comment 17

3 years ago
Hi,

I have checked the fix if it was online or not and found that it is vulnerable till now, so is the patch online or not being pushed yet?!

Thanks
Flags: needinfo?(jrconlin)
(Assignee)

Comment 18

3 years ago
We're a bit tight on QA resources. The fix is working it's way through stage at the moment to ensure that we don't break any devices or interfaces that are already deployed.
Flags: needinfo?(jrconlin)
Flags: sec-bounty? → sec-bounty+
Keywords: sec-moderate
JR: is this bug fixed or not? Hopefully the former because it's public now
http://seclists.org/fulldisclosure/2015/Oct/82
Group: cloud-services-security
Flags: needinfo?(yboily) → needinfo?(jrconlin)

Comment 20

3 years ago
I saw that X-Frame-Headers: deny was set on the page, earlier today.

Comment 21

3 years ago
Err, X-Frame-Options.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
(Assignee)

Comment 22

3 years ago
Following up per sec request, the fix was applied to the code Mar 18 deployed to STAGE 
https://bugzilla.mozilla.org/show_bug.cgi?id=1146226

And deployed to Prod shortly there after. Unfortunately, I don't have a bug handy for that deployment since it came from QA. I will attempt to track that down. 

The absolute latest it was deployed was part of 1.4.7 (the latest deployed version) on 04/21
https://bugzilla.mozilla.org/show_bug.cgi?id=1156348
Flags: needinfo?(jrconlin)
(Reporter)

Comment 23

3 years ago
Hi Guys, I'm requesting a CVE for this!.
(In reply to Mohamed A. Baset from comment #23)
> Hi Guys, I'm requesting a CVE for this!.

From whom?
(Reporter)

Comment 25

3 years ago
Maybe Mozilla can work along with MITRE to get this. or should i report it individually to them?

Comment 26

3 years ago
CVEs are for publicly released software packages, not for services or websites.  Since the vulnerability lies in the service and not the software (ie, FxOS), there wouldn't be a CVE issued for something like this.

Updated

3 years ago
blocking-b2g: --- → 2.2r+
Ravi - this was a configuration issue on a server. It was fixed months ago - it has nothing to do with 2.2r as per comment 22.
blocking-b2g: 2.2r+ → ---

Comment 28

3 years ago
Paul, thanks for the explanation.
Product: Cloud Services → Cloud Services Graveyard
You need to log in before you can comment on or make changes to this bug.