Location Bar URL Spoofing On Firefox 36.0.1 for Android using the calculation of the width of the screen and the creation of an appropriate size link (link which has a long size related to the width of the screen)

RESOLVED DUPLICATE of bug 605206

Status

()

Firefox for Android
General
RESOLVED DUPLICATE of bug 605206
3 years ago
2 years ago

People

(Reporter: Jordi Chancel, Unassigned)

Tracking

({csectype-spoof, sec-low, testcase})

36 Branch
ARM
Android
csectype-spoof, sec-low, testcase
Points:
---

Firefox Tracking Flags

(firefox36 affected, firefox37 unaffected, firefox38 ?, firefox39 ?)

Details

(Whiteboard: URL Bar Spoofing in Firefox 36.0.1 for Android, FIXED IN FIREFOX BETA 37.0 for Android, URL)

Attachments

(2 attachments, 4 obsolete attachments)

(Reporter)

Description

3 years ago
Created attachment 8577342 [details]
TESTCASE1 FOR Firefox 36.0.1 for Android.html

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0
Build ID: 20150305021524

Steps to reproduce:

On Firefox 36.0.1 for Android, when you go on an URL Address , the location bar shows only the title of this webpage , so, if the user want verify the URL , the User must click on the location bar

(step1) - go to http://www.alternativ-testing.fr/Research/Mozilla/android/spoooftest1/testspoof.html  (click on the link : "Clickme for use an URL Spoofing attack")

(step2) - you will go on a phishing webpage which has an URL with a special lenght , because when the user clicks on the Location Bar, these are the last characters which are shown to the trapped user and this leads to an URL Spoofing if the last characters which are showed represent an URL (URL which isn't the good URL Address)  (So, previously, the page could doing a calculating for define the size of the URL which leads to the URL Spoofing ) .




Actual results:

For a web page 980px width, here is a link allowing the URL spoofing on Firefox 36.0.1 for Android:

https://www.alternativ-testing.fr/Research/Mozilla/android/Fakegoogle.html?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/?tab%3Dwm&scc=1<mpl=default<mplcache=2&emr=1#inbox&bug_status=UNCONFIRMED&bug_status=REOPENED&bug_status=CLOSED&bug_status=RESOLVED&bug_status=VERIFIED&bug_status=NEW&bug_status=ASSIGNED&emailassigned_to1=1&emailreporter1=1&emailtype1=exact&email1=jordi.chancel%40alternativ-testing.fr&field0-0-0=bug_status&type0-0-0=notequals&value0-0-0=UNCONFIRMED&field0-0-1=reporte https://gmail.com?secvalue0-0-19645859314752Si405364i2874596543954&i2i82906i

if this is the URL of the visited page and the user clicks on the location bar, the user will see as URL ( For a web page 980px width ) : https://gmail.com?secvalue0-0-19645859314752Si405364i2874596543954&i2i82906i


( you can see this explanation on this URL -> http://www.alternativ-testing.fr/Research/Mozilla/android/spoooftest1/testspoof.html  ) 


Expected results:

I think it is preferable to show the real URL of the real Domain of the WebPage visited, instead of the end of the URL.
(Reporter)

Updated

3 years ago
Whiteboard: URL (Only For Be Used On Android) , I use Firefox 36.0.1 for Android , and my Android Version is 4.4.4 [i'm waiting for android 5 lollipop]
(Reporter)

Comment 1

3 years ago
It is resolved in part (i will say you why i say only in part *1* ) in Firefox 37.0 beta for Android because the location bar shows directly the real Domain and shows the beginning of the URL and not the title of the webpage like Firefox 36.0.1 for Android but when you click on the location bar, it shows the last characters (like the original spoofing in firefox 36.0.1, exept that this is not a URL spoofing but a imperfection viewing of the URL because when you click on the location bar[on the patched firefox beta 37.0 update], it is preferable to show the start of the URL).

In any case, the vulnerability is patched on beta version because the address bar shows the real domain and the beginning of the URL.
(Reporter)

Comment 2

3 years ago
Created attachment 8577599 [details]
Video-Example1 Firefox 36.0.1 for Android-URL spoofing Vulnerability.html

This video shows a PoC which works only with a webpage which has 980px of width.
(Reporter)

Comment 3

3 years ago
(In reply to Jordi Chancel from comment #2)
> Created attachment 8577599 [details]
> Video-Example1 Firefox 36.0.1 for Android-URL spoofing Vulnerability.html
> 
> This video shows a PoC which works only with a webpage which has 980px of
> width.


By say you this, i have make an error , it is var tailleEcranX = window.innerWidth;
var tailleEcranY = window.innerHeight; which defined the size of an Android smartphone screen so i will say you the real info when i have coded a better calculator of android screen size.
(Reporter)

Comment 4

3 years ago
(In reply to Jordi Chancel from comment #3)
> (In reply to Jordi Chancel from comment #2)
> > Created attachment 8577599 [details]
> > Video-Example1 Firefox 36.0.1 for Android-URL spoofing Vulnerability.html
> > 
> > This video shows a PoC which works only with a webpage which has 980px of
> > width.
> 
> 
> By say you this, i have make an error , it is var tailleEcranX =
> window.innerWidth;
> var tailleEcranY = window.innerHeight; which defined the size of an Android
> smartphone screen so i will say you the real info when i have coded a better
> calculator of android screen size.

------

In fact window.innerWidth; and window.innerHeight; are bad for make the calculation of the screens size on android mobiles. (read the next of comment)
∧∧∧∧∧∧∧∧∧∧∧∧∧
∨∨∨∨∨∨∨∨∨∨∨∨∨
The number 980px is a wrong calculation the real information of the size in this website : http://whatismyandroidversion.com/ , and the spoofing works on a Android screen which has the size 640 x 360 ( like indicated in http://whatismyandroidversion.com/ viewed with Firefox for android on the Samsung Galaxy S5 4g+ )

For the old calculation( which was bad) I used : window.innerWidth; & window.innerHeight; but they are not the good solution for the calculation of the screen size for android mobiles.

so, the calculation of the screen size is in this URL :
http://whatismyandroidversion.com/.
(Reporter)

Updated

3 years ago
Whiteboard: URL (Only For Be Used On Android) , I use Firefox 36.0.1 for Android , and my Android Version is 4.4.4 [i'm waiting for android 5 lollipop] → URL Bar Spoofing in Firefox 36<;0;1 , FIXED IN FIREFOX BETA 37.0 for Android
(Reporter)

Updated

3 years ago
Keywords: csectype-spoof, testcase
Whiteboard: URL Bar Spoofing in Firefox 36<;0;1 , FIXED IN FIREFOX BETA 37.0 for Android → URL Bar Spoofing in Firefox 36.0.1 for Android, FIXED IN FIREFOX BETA 37.0 for Android
(Reporter)

Comment 5

3 years ago
Comment on attachment 8577342 [details]
TESTCASE1 FOR Firefox 36.0.1 for Android.html

i will upload a testcase which explains better the spoofing method.
Attachment #8577342 - Attachment is obsolete: true
Flags: needinfo?(jordi.chancel)
(Reporter)

Comment 6

3 years ago
Created attachment 8577683 [details]
TestCase n°2 (better information of the screen size)

new TestCase Uploaded (with better information of the screen size).
Flags: needinfo?(jordi.chancel)
(Reporter)

Comment 7

3 years ago
Created attachment 8577692 [details]
TestCase n°3 (better information of the screen size and some changes in the description)

New testcase [N°3] (better information of the screen size and some changes in the description)
Attachment #8577683 - Attachment is obsolete: true
(Reporter)

Comment 8

3 years ago
Created attachment 8577694 [details]
TestCase4 (better information of the screen size and some changes in the description)
Attachment #8577692 - Attachment is obsolete: true
(Reporter)

Comment 9

3 years ago
Created attachment 8577698 [details]
TestCase5 (better information of the screen size and some changes in the description)

some changes in the description of this new testcase (N°5)
Attachment #8577694 - Attachment is obsolete: true
Assuming that this is resolved on the Aurora and Nightly channels we will wait on Fx37 shipping at the end of the month.
status-firefox36: --- → affected
status-firefox37: --- → unaffected
status-firefox38: --- → ?
status-firefox39: --- → ?
OS: Mac OS X → Android
Hardware: x86 → ARM
(Reporter)

Comment 11

3 years ago
(In reply to Kevin Brosnan [:kbrosnan] from comment #10)
> Assuming that this is resolved on the Aurora and Nightly channels we will
> wait on Fx37 shipping at the end of the month.

Can you add me into the CC'list of the first/original report of this vulnerability please?
Flags: needinfo?(kbrosnan)
It sounds like the disabling 'show page title' from comment 2.
Flags: needinfo?(kbrosnan)
This is a long-known bug that the security team has been asking be fixed for years (and collected a number a dupes).

Your variation showing the downsides of having the selection scrolled to the end is perhaps worth considering in a separate bug, but trying to address that in this bug will founder on the now misleading initial comments. I'm not sure it's a terrible spoofing danger, though, because the user _does_ see the real domain before they click. And of course you could create domains like http://mail.google.com.backend-processing.am-i-off-the-screen-yet.evil.com/ and try to fool people with the limited space available on phones, but that's just kind of a built-in risk of cramped UI. That's why people like "apps" for sensitive stuff.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 605206

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
Keywords: sec-low
You need to log in before you can comment on or make changes to this bug.