All users were logged out of Bugzilla on October 13th, 2018
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.89 Safari/537.36 Steps to reproduce: Create a link pointing to the following URL. Click it. about:email@example.com&e=nssFailure2&u=&d=%F0%9F%90%9E%20The%20website%20you%20tried%20to%20access,%20https://www.bankofamerica.com/,%20appears%20to%20have%20been%20compromised.%20Pleasefirstname.lastname@example.org%20for%20support. Actual results: A Firefox error page is displayed, with a message reflected from the link URL. On Firefox for Android the URL in the URL bar is highlighted as if the origin were actually bankofamerica.com. Expected results: 1. Linking to about:neterror should not be possible. 2. On Android, the neterror URL should not be highlighted so that it can be mistaken for a different origin. 3. Messages should not be reflected to the page from the neterror URL; instead they should be mostly static, with dynamic (potentially attacker-controlled) parts clearly marked as such, for example by placing a border around them and limiting their length and row span. For the URL highlighting part this is somewhat related to bug 1195976.
Whoops, sorry, the example URL is missing a slash after bankofamerica.com. That's required to trigger the highlighting bug. Here's the working URL: about:email@example.com/&e=nssFailure2&u=&d=%F0%9F%90%9E%20The%20website%20you%20tried%20to%20access,%20https://www.bankofamerica.com/,%20appears%20to%20have%20been%20compromised.%20Pleasefirstname.lastname@example.org%20for%20support.
Now that we added a mechanism to keep about:reader links from being linkable we should do the same for about:neterror -- and then check more of our unprivileged about links.
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM
Ever confirmed: true
Keywords: csectype-spoof, sec-low
Product: Firefox → Core
Firefox seems to override the default about:neterror (don't know why), so, not sure if this is docshell or firefox issue.
The Android URL highlighting issue might be bug 1199601. Not sure though, considering it's Android-only.
Minor spoofing bugs do not meet the bounty qualifications.
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.