Closed Bug 1147778 Opened 8 years ago Closed 8 years ago

BroadcastChannel API bypasses app sandbox on B2G and private browsing mode

Categories

(Core :: DOM: Core & HTML, defect)

37 Branch
x86
Windows 8
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1148032

People

(Reporter: sdna.muneaki.nishimura, Unassigned)

Details

(Keywords: sec-low)

Attachments

(2 files)

514 bytes, application/x-zip-compressed
Details
565 bytes, application/x-zip-compressed
Details
Attached file victim.zip
User Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2342.2 Safari/537.36

Steps to reproduce:

Issue 1: Bypass app sandbox on B2G
1. Install attached packaged app 'victim.zip' on Firefox OS simulator 3.0.
2. Start the victim app. The app loads message receiver page from http://csrf.jp on it's iframe.
3. Start Browser app and open 'http://csrf.jp/bc/sender.html'.
4. Push 'Send Message' button in the page, and then, BroadcastChannel message is sent.
5. Open the victim app again. Then, you can see the received message from Browser on the alert popup.

Issue 2: Bypass private browsing mode
1. Open Firefox Nightly and open following two pages on both normal browsing mode and private browsing mode.
    Sender: http://csrf.jp/bc/sender.html
    Receiver: http://csrf.jp/bc/receiver.html
2. Push 'Send Message' button of Sender on normal mode. Then, the message is sent to Receiver on private mode.
3. On the contrary, push 'Send Message' button of Sender on private mode. Then, the message is sent to Receiver on normal mode.


Actual results:

Issue1: BroadcastChannel message is sent with bypassing app sandbox on B2G.
Issue2: BroadcastChannel message is sent with bypassing private browsing mode.


Expected results:

BroadcastChannel message should not be sent in cases of Issue1 & Issue2.
Attached file victim2.zip
I found another issue using BrowserChannel API.

Issue 3: Bypass Browser API sandbox on B2G
1. Install attached packaged app 'victim.zip' and 'victim2.zip' on Firefox OS simulator 3.0.
2. Start Browser app and open 'http://csrf.jp/bc/receiver.html'.
3. Start victim app. The app loads message receiver page from http://csrf.jp on it's iframe.
4. Start the victim2 app. The app loads message sender page from http://csrf.jp on it's iframe[mozbrowser].
5. Push 'Send Message' button in the sender page of victim2.app, and then, BroadcastChannel message is sent.
6. Open the victim app again. Then, you can see the received message from victim2 app on the alert popup.
7. Open the Browser app agaon. Then, you can see the received message from victim2 app on the alert popup.

This result indicates that a web page opened in Browser API sandbox can send a message to another apps.
Please open separate bugs for each issue. When you put more than one bug report into a bug, it makes it very difficult to make sure that all of the bugs will be addressed.
Flags: sec-bounty?
Sorry, I opened following three bugs.

Issue 1:
Bug 1148031 BroadcastChannel API bypasses app sandbox on B2G
Issue 2:
Bug 1148032 BroadcastChannel API bypasses private browsing mode
Issue 3:
Bug 1148033 BroadcastChannel API bypasses Browser API sandbox on B2G
If this bug is reporting 3 issues and you've now opened 3 other bugs, is this bug covering anything at all? Maybe we should dupe it to one of them.
Flags: needinfo?(sdna.muneaki.nishimura)
Component: Untriaged → DOM
Product: Firefox → Core
This the combo 1148032 + 1148033. I wrote the patch for the first bug and I'm ready to land it.
I mark this bug as duplicate of the first one.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
> If this bug is reporting 3 issues and you've now opened 3 other bugs, is this bug covering anything at all? Maybe we should dupe it to one of them.

Yes, I've already opened 3 bugs for all of issues I reported in this bug. 
Thank you for handling this bug.
Flags: needinfo?(sdna.muneaki.nishimura)
Flags: sec-bounty? → sec-bounty-
Group: core-security → core-security-release
Group: core-security-release
Keywords: sec-low
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.