Closed Bug 1123433 Opened 10 years ago Closed 10 years ago

COPPA error screen in FxAccounts signup allows loading arbitrary web content into B2G root process

Categories

(Firefox OS Graveyard :: Gaia::System, defect)

Product:
Firefox OS Graveyard
Component:
Gaia::System
Platform:
All
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(blocking-b2g:-, b2g-v2.0 wontfix, b2g-v2.0M wontfix, b2g-v2.1 wontfix, b2g-v2.1S wontfix, b2g-v2.2 fixed, b2g-master fixed)

Status:
RESOLVED FIXED
Milestone:
2.2 S7 (6mar)
Project Flags:
blocking-b2g -
Tracking Flags:
Tracking Status
b2g-v2.0 --- wontfix
b2g-v2.0M --- wontfix
b2g-v2.1 --- wontfix
b2g-v2.1S --- wontfix
b2g-v2.2 --- fixed
b2g-master --- fixed

People

(Reporter: kats, Assigned: kgrandon)

References

Details

(Keywords: sec-moderate, Whiteboard: [systemsfe][b2g-adv-main2.2+])

Attachments

(1 file)

Github pull request
46 bytes, text/x-github-pull-request
ferjm
: review+
jhirsch
: feedback+
Details | Review
In following the STR for bug 1109531 on master, I noticed that an external website (hosted at ftc.gov) gets loaded into the b2g root process. This seems bad, as we don't control this content and a user clicking on links from that page can theoretically load arbitrary content into the b2g root process. STR (basically copied from bug 1109531): 1. go to settings > Firefox accounts 2. click on "create account or sign in" 3. enter a bogus email address that has no firefox account associated with it (e.g. foo@bar.asdlkfjlaskfdj) and hit next 4. In the age verification drop-down pick a recent year (e.g. 2014) and hit next 5. On the COPPA error message screen that shows up click on "learn more"
I was able to repro this on master, but based on bug 1109531 and bug 1040424 it probably goes all the way back to 2.0 and earlier.
status-b2g-master: --- → affected
OS: Mac OS X → Gonk (Firefox OS)
Hardware: x86 → All
I'm not sure if or how qawanted works with secure bugs, but we should try to get branch checks here - though maybe a dev should go through and figure that out.
status-b2g-v1.4: --- → ?
status-b2g-v2.0: --- → ?
status-b2g-v2.0M: --- → ?
status-b2g-v2.1: --- → ?
status-b2g-v2.1S: --- → ?
status-b2g-v2.2: --- → ?
Keywords: qawanted
2.1 is definitely affected as well, I loaded a build and verified.
status-b2g-v2.1: ?affected
Sounds like 2.2 will probably be affected then.
status-b2g-v2.1S: ?affected
status-b2g-v2.2: ?affected
Naoki, we need someone to investigate how far back this might go. Can you or someone else in QA help?
Flags: needinfo?(nhirata.bugzilla)
Keywords: sec-high
Firefox Accounts was introduced in 2.0: https://wiki.mozilla.org/B2G/Roadmap/Archive_-_Past_Releases_Complete_Features w/ bug 941723 1.4 shouldn't be affected. It sounds like we just need to test 2.0 since 2.0M is an offshoot of 2.0. Is that correct? Are we also trying to find the regression range? It almost sounds like this was there from the beginning. (Trying to understand the scope of what needs to be tested)
Flags: needinfo?(nhirata.bugzilla) → needinfo?(mwobensmith)
We were just trying to answer the question in comment 2, w/r/t regression range. If we have no additional information on top of what you provided (and thanks for that) then I guess that's all we can do from the QA side for now.
Flags: needinfo?(mwobensmith)
Peter, can you have someone check if this happens on 2.0 please? You may have to add that person to the bug for them to see it.
Flags: needinfo?(pbylenga)
Will do, Jayme, can you take a look please?
Flags: needinfo?(pbylenga)
QA Contact: jmercado
This issue DOES occur on 2.0 Flame KK. Environmental Variables: Device: Flame 2.0 BuildID: 20150120081659 Gaia: 736933b25ded904f0cb935a0d48f1f3cf91d33ad Gecko: 0c9b6ff58714 Version: 32.0 (2.0) Firmware Version: v18D-1 User Agent: Mozilla/5.0 (Mobile; rv:32.0) Gecko/32.0 Firefox/32.0 I also verified that on the v165 1.4 Flame KK base, there is no Firefox account options under settings.
QA Whiteboard: [QAnalyst-Triage?]
status-b2g-v2.0: ?affected
Flags: needinfo?(ktucker)
Keywords: qawanted
QA Whiteboard: [QAnalyst-Triage?] → [QAnalyst-Triage+]
Flags: needinfo?(ktucker)
[Blocking Requested - why for this release]: Security bug
blocking-b2g: --- → 2.0?
Jared/Fernando, do you know who should be looking into this? I'm not sure if it this is considerd a FxA error or a gaia system error.
Flags: needinfo?(ferjmoreno)
Flags: needinfo?(6a68)
Group: b2g-core-security
Ugh, that's true. I'll try to get to this next week.
Assignee: nobody → ferjmoreno
Flags: needinfo?(ferjmoreno)
Flags: needinfo?(6a68)
Sorry folks, I am quite busy with FxOS v3 stuff and 2.2 feature landing, so I am not sure when I will be able to get to this one :(. Jared, if you have any free cycles, could you take a look at this one, please? Thanks!
Flags: needinfo?(6a68)
I took a quick look and noticed at least 2 other links which open content in the root process. Privacy Notice and Terms of Service on the first page. The easy fix here is to include the oop config for BrowserFrame. Fixing the error message is a bit more tricky without a large refactoring. The best solution I had for that is to use a custom element which handles the stringification quite well.
Attached file Github pull request
Comment on attachment 8567692 [details] [review] Github pull request Jared, Fernando - I had some time on the plane so I took a quick look at this. Either of you guys want to take a quick look and let me know if this is a reasonable approach? Thanks!
Attachment #8567692 - Flags: review?(ferjmoreno)
Attachment #8567692 - Flags: review?(6a68)
Comment on attachment 8567692 [details] [review] Github pull request This patch looks good, but I'm not a system peer, and haven't tested it on device. If there are concerns, I think we could definitely just not link out to the FTC COPPA info page; I'm not sure it's properly internationalized, so it might be useless to most of our audience. Anyway, f+ from me, thanks so much kgrandon ^_^
Flags: needinfo?(6a68)
Attachment #8567692 - Flags: review?(6a68) → feedback+
Comment on attachment 8567692 [details] [review] Github pull request Thank you Kevin! LGTM
Attachment #8567692 - Flags: review?(ferjmoreno) → review+
Thanks guys taking this for now. Also going to just leave the link in for now as changing it would result in requiring a string change. It might be a change we want to make in 3.0 though.
Assignee: ferjmoreno → kgrandon
Status: NEW → ASSIGNED
Whiteboard: [systemsfe]
Bhavana - I'll get this into 3.0, but who should make the 2.0 blocking call on this bug?
Flags: needinfo?(bbajaj)
In master: https://github.com/mozilla-b2g/gaia/commit/77381a5b9e4852240dc0ed5604cdbbd1fdf8571a
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-b2g-master: affectedfixed
Resolution: --- → FIXED
While this technically meets the criteria for auto-uplift seeing as how it's a sec-high, it sounds like it's complicated by string changes? I'll defer to y'all's judgement then as to what releases this should be backported to.
Target Milestone: --- → 2.2 S7 (6mar)
I actually made an attempt to make no string changes, so there is no localization needed for this. If this meets criteria for auto-uplift then we should be good to go.
I have a patch for 2.1 ready, but it's not working for some reason =/ I'm getting an error, "Operation is not supported" - it seems there's some problem with web components for some reason. Will investigate further.
This is working fine on 2.2 though. At this point I'm not sure how to fix 2.0 and 2.1 without making string changes.
Group: b2g-core-security
Depends on: 1137354
(In reply to Kevin Grandon :kgrandon from comment #27) > This is working fine on 2.2 though. At this point I'm not sure how to fix > 2.0 and 2.1 without making string changes. I'm going to mark 2.0 and 2.1 as wontfix here for the time being. I'm currently unable to make a fix there without doing a string change unless someone has a better idea. I'm not sure what the process typically is here, so please chime in if you think this is wrong.
status-b2g-v2.0: affectedwontfix
status-b2g-v2.0M: ?wontfix
status-b2g-v2.1: affectedwontfix
status-b2g-v2.1S: affectedwontfix
Sorry for the late response on this one, given the string change I don't think we can land this at this time. But this is also a sec-high, so I am Ni'ing Paul to make sure about this decision or raise any concerns if we should try to find more options(hard coded strings?) to fix this depending on his assessment from security side.
Flags: needinfo?(bbajaj) → needinfo?(ptheriault)
blocking-b2g: 2.0? → -
The 2.0 and 2.1 fix would be to change the error message. I suppose in this case we would have an english-only string for all locales.
So lets think about what the actual attack scenario would be here. IIUC an attacker would need to coerce the user to complete the STR above in comment 1, and then somehow get the victim to continue browsing to arbitrary web content in the same window. I note that the URL in Gaia not SSL so there is small chance of an opportunistic redirection to malicious content for an attacker who already has an active MITM position (e.g. over insecure wifi) . [1] But that seems pretty unlikely in the grand scheme of things? And then you of course still need some kind of Firefox exploit to take advantages of the root privileges... TLDR: If comment 30 is easy, then may as well do it, but if its risky, then I'm not sure we need to worry too much. [1] Annoying sidenote: the COPA page actually redirects from http -> https... shame don't we link to the SSL page, which would limit this attack! http://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/kids-privacy-coppa. Maybe it wasn't always a secure page...
Flags: needinfo?(ptheriault)
Whiteboard: [systemsfe] → [systemsfe][b2g-adv-main2.2+]
Re-rating this as per my previous comment. It might actually be a sec-low given the requirement for an additional vuln, but I'll err on the side of caution.
Keywords: sec-highsec-moderate
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: