Closed
Bug 1147778
Opened 10 years ago
Closed 10 years ago
BroadcastChannel API bypasses app sandbox on B2G and private browsing mode
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1148032
People
(Reporter: sdna.muneaki.nishimura, Unassigned)
Details
(Keywords: reporter-external, sec-low)
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2342.2 Safari/537.36
Steps to reproduce:
Issue 1: Bypass app sandbox on B2G
1. Install attached packaged app 'victim.zip' on Firefox OS simulator 3.0.
2. Start the victim app. The app loads message receiver page from http://csrf.jp on it's iframe.
3. Start Browser app and open 'http://csrf.jp/bc/sender.html'.
4. Push 'Send Message' button in the page, and then, BroadcastChannel message is sent.
5. Open the victim app again. Then, you can see the received message from Browser on the alert popup.
Issue 2: Bypass private browsing mode
1. Open Firefox Nightly and open following two pages on both normal browsing mode and private browsing mode.
Sender: http://csrf.jp/bc/sender.html
Receiver: http://csrf.jp/bc/receiver.html
2. Push 'Send Message' button of Sender on normal mode. Then, the message is sent to Receiver on private mode.
3. On the contrary, push 'Send Message' button of Sender on private mode. Then, the message is sent to Receiver on normal mode.
Actual results:
Issue1: BroadcastChannel message is sent with bypassing app sandbox on B2G.
Issue2: BroadcastChannel message is sent with bypassing private browsing mode.
Expected results:
BroadcastChannel message should not be sent in cases of Issue1 & Issue2.
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
I found another issue using BrowserChannel API.
Issue 3: Bypass Browser API sandbox on B2G
1. Install attached packaged app 'victim.zip' and 'victim2.zip' on Firefox OS simulator 3.0.
2. Start Browser app and open 'http://csrf.jp/bc/receiver.html'.
3. Start victim app. The app loads message receiver page from http://csrf.jp on it's iframe.
4. Start the victim2 app. The app loads message sender page from http://csrf.jp on it's iframe[mozbrowser].
5. Push 'Send Message' button in the sender page of victim2.app, and then, BroadcastChannel message is sent.
6. Open the victim app again. Then, you can see the received message from victim2 app on the alert popup.
7. Open the Browser app agaon. Then, you can see the received message from victim2 app on the alert popup.
This result indicates that a web page opened in Browser API sandbox can send a message to another apps.
Comment 3•10 years ago
|
||
Please open separate bugs for each issue. When you put more than one bug report into a bug, it makes it very difficult to make sure that all of the bugs will be addressed.
Flags: sec-bounty?
Reporter | ||
Comment 4•10 years ago
|
||
Sorry, I opened following three bugs.
Issue 1:
Bug 1148031 BroadcastChannel API bypasses app sandbox on B2G
Issue 2:
Bug 1148032 BroadcastChannel API bypasses private browsing mode
Issue 3:
Bug 1148033 BroadcastChannel API bypasses Browser API sandbox on B2G
Comment 5•10 years ago
|
||
If this bug is reporting 3 issues and you've now opened 3 other bugs, is this bug covering anything at all? Maybe we should dupe it to one of them.
Flags: needinfo?(sdna.muneaki.nishimura)
Updated•10 years ago
|
Component: Untriaged → DOM
Product: Firefox → Core
Comment 6•10 years ago
|
||
This the combo 1148032 + 1148033. I wrote the patch for the first bug and I'm ready to land it.
I mark this bug as duplicate of the first one.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 7•10 years ago
|
||
> If this bug is reporting 3 issues and you've now opened 3 other bugs, is this bug covering anything at all? Maybe we should dupe it to one of them.
Yes, I've already opened 3 bugs for all of issues I reported in this bug.
Thank you for handling this bug.
Flags: needinfo?(sdna.muneaki.nishimura)
Updated•10 years ago
|
Flags: sec-bounty? → sec-bounty-
Updated•9 years ago
|
Group: core-security → core-security-release
Assignee | ||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
Updated•8 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•