All users were logged out of Bugzilla on October 13th, 2018
Status
()
People
(Reporter: jupenur, Unassigned)
Tracking
({csectype-spoof, sec-low})
Bug Flags:
Firefox Tracking Flags
(Not tracked)
Details
Attachments
(1 attachment)
|
79.96 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.89 Safari/537.36 Steps to reproduce: Create a link pointing to the following URL. Click it. about:neterror?@bankofamerica.com&e=nssFailure2&u=&d=%F0%9F%90%9E%20The%20website%20you%20tried%20to%20access,%20https://www.bankofamerica.com/,%20appears%20to%20have%20been%20compromised.%20Please%20contact%20evil.guy@igi.tl%20for%20support. Actual results: A Firefox error page is displayed, with a message reflected from the link URL. On Firefox for Android the URL in the URL bar is highlighted as if the origin were actually bankofamerica.com. Expected results: 1. Linking to about:neterror should not be possible. 2. On Android, the neterror URL should not be highlighted so that it can be mistaken for a different origin. 3. Messages should not be reflected to the page from the neterror URL; instead they should be mostly static, with dynamic (potentially attacker-controlled) parts clearly marked as such, for example by placing a border around them and limiting their length and row span. For the URL highlighting part this is somewhat related to bug 1195976.
|
(Reporter) | |
Comment 1•3 years ago
|
||
Created attachment 8649889 [details] Screenshot of the behavior on Android
|
|
(Reporter) | |
Comment 2•3 years ago
|
||
Whoops, sorry, the example URL is missing a slash after bankofamerica.com. That's required to trigger the highlighting bug. Here's the working URL: about:neterror?@bankofamerica.com/&e=nssFailure2&u=&d=%F0%9F%90%9E%20The%20website%20you%20tried%20to%20access,%20https://www.bankofamerica.com/,%20appears%20to%20have%20been%20compromised.%20Please%20contact%20evil.guy@igi.tl%20for%20support.
|
||
Comment 3•3 years ago
|
||
Now that we added a mechanism to keep about:reader links from being linkable we should do the same for about:neterror -- and then check more of our unprivileged about links.
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM
Ever confirmed: true
Keywords: csectype-spoof, sec-low
Product: Firefox → Core
|
||
Comment 4•3 years ago
|
||
Firefox seems to override the default about:neterror (don't know why), so, not sure if this is docshell or firefox issue.
|
|
(Reporter) | |
Comment 5•3 years ago
|
||
The Android URL highlighting issue might be bug 1199601. Not sure though, considering it's Android-only.
|
||
Updated•3 years ago
|
||
Group: core-security → dom-core-security
|
||
Updated•3 years ago
|
||
Flags: sec-bounty?
|
|
||
Comment 6•3 years ago
|
||
Minor spoofing bugs do not meet the bounty qualifications.
Flags: sec-bounty? → sec-bounty-
|
|
||
Updated•a year ago
|
||
Group: dom-core-security
|
||
Updated•4 months ago
|
||
Priority: -- → P5
You need to log in
before you can comment on or make changes to this bug.
Description
•