Closed Bug 1194567 Opened 10 years ago Closed 10 years ago

LoginsHelper.js vulnerability: sites can steal login data from any other site

Categories

(Firefox for iOS :: Browser, defect)

Product:
Firefox for iOS
Component:
Browser
Platform:
All
iOS
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
fxios + ---

People

(Reporter: bnicholson, Assigned: bnicholson)

References

Details

(Keywords: csectype-disclosure, sec-high)

Attachments

(1 file)

Link to Github pull-request: https://github.com/mozilla/firefox-ios/pull/936
47 bytes, text/x-github-pull-request
st3fan
: review+
Details | Review
Ugh, this is the kind of stuff I was afraid we'd end up finding with a sec audit. STR: 1) Go to https://people.mozilla.org/~bnicholson/test/exploit-ios-logins.html. 2) Enter a dummy username/password, click submit. 3) Save your password. 4) Go to http://thebnich.com/mozilla/exploit-ios-logins.html. After STR, notice that the site from step 3 now has your username and password from step 1. Essentially, any site can steal your username and password from any other site. How it works: We use the browser URL to build our passwords origin in Logins.swift. Through some experimentation, I found that if a page triggers a change to document.location, the Browser's URL is updated before the page actually changes. From there, the page can post a webkit request under the spoofed URL and override the window.__firefox__.logins.inject listener to steal the data. This is a major vulnerability, and should definitely block a v1 release.
tracking-fxios: --- → +
Group: mozilla-employee-confidential → core-security
Good find.
Assignee: nobody → bnicholson
Status: NEW → ASSIGNED
Attachment #8648260 - Flags: review?(sarentz)
Attachment #8648260 - Flags: review?(rnewman)
Probably doesn't need to be a Security-Sensitive Core Bug since we won't ship v1 without this fixed. I don't have permissions to toggle the checkbox, though.
Let's wait until it's fixed and TestFlighters/self-installers are upgraded. Small amount of harm, but nonetheless.
Comment on attachment 8648260 [details] [review] Link to Github pull-request: https://github.com/mozilla/firefox-ios/pull/936 The code looks fine, but from the patch alone I can't tell whether this (partially or completely) fixes the bug. Two substantive questions on the PR.
Attachment #8648260 - Flags: review?(rnewman)
Comment on attachment 8648260 [details] [review] Link to Github pull-request: https://github.com/mozilla/firefox-ios/pull/936 Great catch and the fix looks good. Does this same problem apply to any of the other scripts? Are there more places where we use browser.url instead of mainFrame.request.url?
Attachment #8648260 - Flags: review?(sarentz) → review+
(In reply to Stefan Arentz [:st3fan] from comment #6) > Comment on attachment 8648260 [details] [review] > Link to Github pull-request: https://github.com/mozilla/firefox-ios/pull/936 > > Great catch and the fix looks good. Does this same problem apply to any of > the other scripts? Are there more places where we use browser.url instead of > mainFrame.request.url? Not that I've looked at so far, but I'll keep an eye out.
https://github.com/mozilla/firefox-ios/commit/b2e731d3d34bf6005d18e8d846f76551873e7835
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: