All users were logged out of Bugzilla on October 13th, 2018

URL and error message spoofing in about:neterror

NEW
Unassigned

Status

()

P5
normal
3 years ago
4 months ago

People

(Reporter: jupenur, Unassigned)

Tracking

({csectype-spoof, sec-low})

40 Branch
csectype-spoof, sec-low
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.89 Safari/537.36

Steps to reproduce:

Create a link pointing to the following URL. Click it.

about:neterror?@bankofamerica.com&e=nssFailure2&u=&d=%F0%9F%90%9E%20The%20website%20you%20tried%20to%20access,%20https://www.bankofamerica.com/,%20appears%20to%20have%20been%20compromised.%20Please%20contact%20evil.guy@igi.tl%20for%20support.


Actual results:

A Firefox error page is displayed, with a message reflected from the link URL. On Firefox for Android the URL in the URL bar is highlighted as if the origin were actually bankofamerica.com.


Expected results:

1. Linking to about:neterror should not be possible.
2. On Android, the neterror URL should not be highlighted so that it can be mistaken for a different origin.
3. Messages should not be reflected to the page from the neterror URL; instead they should be mostly static, with dynamic (potentially attacker-controlled) parts clearly marked as such, for example by placing a border around them and limiting their length and row span.

For the URL highlighting part this is somewhat related to bug 1195976.
(Reporter)

Comment 1

3 years ago
Created attachment 8649889 [details]
Screenshot of the behavior on Android
(Reporter)

Comment 2

3 years ago
Whoops, sorry, the example URL is missing a slash after bankofamerica.com. That's required to trigger the highlighting bug. Here's the working URL:

about:neterror?@bankofamerica.com/&e=nssFailure2&u=&d=%F0%9F%90%9E%20The%20website%20you%20tried%20to%20access,%20https://www.bankofamerica.com/,%20appears%20to%20have%20been%20compromised.%20Please%20contact%20evil.guy@igi.tl%20for%20support.
Now that we added a mechanism to keep about:reader links from being linkable we should do the same for about:neterror -- and then check more of our unprivileged about links.
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM
Ever confirmed: true
Keywords: csectype-spoof, sec-low
Product: Firefox → Core

Comment 4

3 years ago
Firefox seems to override the default about:neterror (don't know why), so, not sure if this is 
docshell or firefox issue.
(Reporter)

Comment 5

3 years ago
The Android URL highlighting issue might be bug 1199601. Not sure though, considering it's Android-only.

Updated

3 years ago
Group: core-security → dom-core-security
Flags: sec-bounty?
Minor spoofing bugs do not meet the bounty qualifications.
Flags: sec-bounty? → sec-bounty-
Duplicate of this bug: 1339330
Group: dom-core-security

Updated

4 months ago
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.