Closed
Bug 1197901
(CVE-2016-2813)
Opened 9 years ago
Closed 9 years ago
Risks in the current implementation of Firefox on Android in accessing to the mobile orientation and motion sensors via JavaScript codes
Categories
(Core :: DOM: Device Interfaces, defect)
Tracking
()
People
(Reporter: maryam.mehrnejad, Assigned: smaug)
References
Details
(Keywords: sec-high, Whiteboard: [post-critsmash-triage][adv-main46+])
Attachments
(5 files, 3 obsolete files)
|
626.82 KB,
application/pdf
|
Details | |
|
11.58 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
|
11.53 KB,
patch
|
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
|
11.78 KB,
patch
|
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
|
11.54 KB,
patch
|
Sylvestre
:
approval-mozilla-aurora+
Sylvestre
:
approval-mozilla-beta-
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Build ID: 20150630154324
Steps to reproduce:
Dear Sir/ Madam,
I am writing to you on behalf of a team of researchers in mobile security from Newcastle University, UK. Based on our recent work, we have identified vulnerabilities in the current implementation of Firefox for Android in regards to accessing to the mobile orientation and motion sensors via JavaScript codes. The results of our work show that it is possible to infer user’s touch actions such as click, scroll, and zoom, as well as his PINs based on the sensor streams accessible through different mobile browsers including yours. This feature seems to be implemented in Firefox according to the W3C device orientation event specification (http://www.w3.org/TR/orientation-event/) which needs to be revised too.
A preliminary version of our work is already published here (http://dl.acm.org/citation.cfm?id=2714650). The detailed version of the paper including attacks on user’s PINs will be published soon. We would be very happy to provide you with more information in regards to this problem.
Regards,
Maryam Mehrnezhad
Actual results:
User privacy and security leak
Severity: normal → major
Component: Untriaged → Web Apps
OS: Unspecified → Android
Product: Firefox → Firefox for Android
Version: unspecified → Firefox 40
|
||
Comment 1•9 years ago
|
||
We don't have access to your paper, please attach a copy to this bug or mail us at security@mozilla.org
Group: firefox-core-security → core-security
Status: UNCONFIRMED → NEW
Component: Web Apps → DOM: Device Interfaces
Ever confirmed: true
Flags: needinfo?(maryam.mehrnejad)
Product: Firefox for Android → Core
Version: Firefox 40 → unspecified
Short version of the paper
Flags: needinfo?(maryam.mehrnejad)
(In reply to Daniel Veditz [:dveditz] from comment #1)
> We don't have access to your paper, please attach a copy to this bug or mail
> us at security@mozilla.org
Short version of the paper is attached to the bug now. You can find the detailed version of the paper from: http://homepages.cs.ncl.ac.uk/m.mehrnezhad/
|
||
Comment 4•9 years ago
|
||
Olli, do you know who might be able to look into this issue?
Flags: needinfo?(bugs)
|
Assignee | |
Comment 5•9 years ago
|
||
Hmm, didn't dougt work on orientation and motion sensors?
Maryam, do you by any chance have some code showing the issue?
Also, do you perhaps have links to bugs you have filed (I assume) on other browsers?
I wonder if we should either make deviceorientation/devicemotion use some permission model
(so that when an event listener is added, permission is asked), or limit those events to top level page, and nested browsing context from the same domain. I think I'd prefer the latter one.
Anne, any comments?
Flags: needinfo?(maryam.mehrnejad)
Flags: needinfo?(bugs)
Flags: needinfo?(annevk)
|
|
||
Comment 6•9 years ago
|
||
There's some code at the very end of the paper here:
http://homepages.cs.ncl.ac.uk/m.mehrnezhad/TouchSignatures.pdf
|
||
Comment 7•9 years ago
|
||
Your suggestion seems reasonable. I don't really know about the specific attacks, but I have heard about using orientation events to steal passwords a long time ago. What's new?
Flags: needinfo?(annevk)
|
||
Comment 8•9 years ago
|
||
It is completely new attack via only JavaScript codes. Before, it is been done by installing native apps on mobile devices.
|
|
Assignee | |
Comment 9•9 years ago
|
||
I'd say this is a dup of bug 686401, so nothing new.
|
|
||
Comment 10•9 years ago
|
||
Making the attack practical in javascript may be new (and very cool research), but as seen in bug 686401 the Firefox defenses we'd need to protect against the attack were predicted based on nascent research.
Depends on: 686401
|
|
||
Comment 11•9 years ago
|
||
It is the same bug as 686401, however, our research proves it is indeed practical to perform such an attack.
|
|
Assignee | |
Comment 12•9 years ago
|
||
Indeed, and it should be fixed consistently across all the browsers and also the spec needs to be fixed. Do you have links to bugs on other browser implementations? That might help with coordinating this work.
Flags: needinfo?(toreini)
|
||
Updated•9 years ago
|
Group: core-security → dom-core-security
|
Reporter | |
Comment 13•9 years ago
|
||
We have reported the issue to all major browsers and also w3c. Some of them are discussing the bug inside private groups. None of them are public yet.
Flags: needinfo?(maryam.mehrnejad)
|
|
Assignee | |
Comment 14•9 years ago
|
||
Maryam, could you still give the links to other browsers bugs. I know those are probably hidden by
default, but I could then ask the developers of other browsers to give access to those bugs.
Flags: needinfo?(maryam.mehrnejad)
|
|
Reporter | |
Comment 15•9 years ago
|
||
It's issue 523320 in Chromium. For the rest browsers we are in contact with them via email.
Flags: needinfo?(maryam.mehrnejad)
|
|
||
Updated•9 years ago
|
|
||
Comment 16•9 years ago
|
||
there is some relevant chromium discussion here: crbug.com/421691
|
||
Comment 17•9 years ago
|
||
Marking sec-high for now until further investigation can be made.
Keywords: sec-high
|
|
Assignee | |
Comment 18•9 years ago
|
||
MS and Blink folks seem to be ok with the approach from bug 686401.
Assignee: nobody → bugs
|
|
Assignee | |
Comment 19•9 years ago
|
||
This would limit events to foreground tabs in focused windows.
|
|
Assignee | |
Comment 20•9 years ago
|
||
Attachment #8669174 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 21•9 years ago
|
||
I've been trying to follow the conversation, however I am not authorized to access bug 1211258. Is there any way for me to see this bug?
|
|
Assignee | |
Comment 22•9 years ago
|
||
Comment on attachment 8669419 [details] [diff] [review]
v3
For FFOS we need bug 1211258.
DeviceSensorTestEvent is a bit silly, but we don't really have other ways to test this stuff.
Attachment #8669419 -
Flags: review?(bzbarsky)
|
||
Comment 23•9 years ago
|
||
Comment on attachment 8669419 [details] [diff] [review]
v3
>+ principal->Subsumes(topPrincipal, &subsumes);
Could we just add a one-arg form of Subsumes() on nsIPrincipal (presumably inline)? It worries me that you're not considering rv.... you probably should.
r=me modulo that.
Attachment #8669419 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Comment 24•9 years ago
|
||
well, if subsumes (which is initialized to false) is set to true yet the method returns failure, I'd say that is rather horrible bug in ::Subsumes implementation.
But now I see we have the easier to use Subsumes() for C++.
|
|
Assignee | |
Comment 25•9 years ago
|
||
|
|
Assignee | |
Comment 26•9 years ago
|
||
Comment on attachment 8670428 [details] [diff] [review]
simpler subsumes
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
It is obvious what the issue is about, but actually constructing an exploit...
http://homepages.cs.ncl.ac.uk/m.mehrnezhad/TouchSignatures.pdf is public and bug 686401 has been open for years.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Commit message could be
-u "Olli Pettay <Olli.Pettay@helsinki.fi>" -m "Bug 1197901, ensure sensor events dispatching follows the becoming spec change, r=bz"
Which older supported branches are affected by this flaw?
All
If not all supported branches, which bug introduced the flaw?
(This is old stuff, known at least since bug 686401)
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
The patch seems to apply to older branches, expect the testing part of the patch
How likely is this patch to cause regressions; how much testing does it need?
this changes functionality a bit, so, not super safe.
Attachment #8670428 -
Flags: sec-approval?
|
||
Updated•9 years ago
|
status-firefox41:
--- → wontfix
status-firefox42:
--- → affected
status-firefox43:
--- → affected
status-firefox44:
--- → affected
status-firefox-esr38:
--- → wontfix
tracking-firefox42:
--- → +
tracking-firefox43:
--- → +
tracking-firefox44:
--- → +
|
|
||
Comment 27•9 years ago
|
||
Comment on attachment 8670428 [details] [diff] [review]
simpler subsumes
Sec-approval+ for checkin to trunk. We should take this on Beta and Aurora too. Marking as won't fix for ESR38 since this is Fennec specific and we don't have an ESR for Fennec.
Attachment #8670428 -
Flags: sec-approval? → sec-approval+
|
|
Assignee | |
Comment 28•9 years ago
|
||
Looks like we have still some issue in FFOS
(I thought bug 1211258 would have been enough). Investigating.
|
||
Comment 29•9 years ago
|
||
Olli, are you planning to request the uplift to 42 & 43? Thanks
Flags: needinfo?(bugs)
|
|
Assignee | |
Comment 30•9 years ago
|
||
No. Need to sort out the FFOS issues first.
I should have asked sec approval a bit later.
Flags: needinfo?(bugs)
|
|
||
Comment 31•9 years ago
|
||
OK. I am going to mark it wontfix for 42. Please let me know if the situation changes.
|
||
Comment 32•9 years ago
|
||
Any luck here Olli? We can still take a patch in beta. If you think it will still be wontfixed for 43, please let me know.
Flags: needinfo?(bugs)
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8691062 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 34•9 years ago
|
||
Smaug: Just poking this bug as it's a sec-high and tracked for FF44, do we know the issue better and potentially a fix ready for uplift to Beta44? Please let me know.
Flags: needinfo?(bugs)
|
|
||
Comment 36•9 years ago
|
||
Too late for 43, wontfixing.
Marking affected and adding tracking for 45/46 since it looks like they're also affected
status-firefox45:
--- → affected
status-firefox46:
--- → affected
tracking-firefox45:
--- → +
tracking-firefox46:
--- → +
|
|
||
Comment 37•9 years ago
|
||
Untracking as we shipped several releases with it.
Please resubmit when we have a fix ready to land.
|
|
||
Comment 38•9 years ago
|
||
smaug - Would you like to take another look at checking this fix in without considering the b2g issues? Seems like priorities may have shifted here so it would be worth finally fixing this sec-high bug.
|
|
Assignee | |
Comment 39•9 years ago
|
||
Flags: needinfo?(bugs)
|
|
Assignee | |
Comment 40•9 years ago
|
||
Attachment #8694857 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 41•9 years ago
|
||
Comment on attachment 8720426 [details] [diff] [review]
up-to-date (for trunk)
Trying again now
[Security approval request comment]
See comment 26
Attachment #8720426 -
Flags: sec-approval?
|
|
Reporter | |
Comment 42•9 years ago
|
||
Hi all,
A quick update on W3C new draft, Thought it might be interesting for you:
https://github.com/w3c/deviceorientation/pull/25/files#diff-87104462239df473f9aa72c3bb6ad124R641
|
|
||
Updated•9 years ago
|
Attachment #8720426 -
Flags: sec-approval? → sec-approval+
|
|
Assignee | |
Comment 43•9 years ago
|
||
Comment on attachment 8720427 [details] [diff] [review]
up-to-date (aurora & beta)
Approval Request Comment
[Feature/regressing bug #]: We've had the old behavior for ages.
[User impact if declined]: See the comment 0
[Describe test coverage new/current, TreeHerder]: Added a test
[Risks and why]: non-same-origin iframes in pages can't use the feature anymore,
but it is a spec change (which doesn't mean the change is web compatible, unfortunately).
[String/UUID change made/needed]: NA
Attachment #8720427 -
Flags: approval-mozilla-beta?
Attachment #8720427 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 44•9 years ago
|
||
|
||
Comment 45•9 years ago
|
||
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox47:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
|
|
||
Updated•9 years ago
|
|
|
||
Comment 46•9 years ago
|
||
Comment on attachment 8720427 [details] [diff] [review]
up-to-date (aurora & beta)
This is too late in the 45 cycle. This is the last week of the beta cycle.
Taking it in aurora.
Attachment #8720427 -
Flags: approval-mozilla-beta?
Attachment #8720427 -
Flags: approval-mozilla-beta-
Attachment #8720427 -
Flags: approval-mozilla-aurora?
Attachment #8720427 -
Flags: approval-mozilla-aurora+
|
|
||
Comment 47•9 years ago
|
||
|
|
||
Updated•9 years ago
|
Group: dom-core-security → core-security-release
|
|
||
Comment 48•9 years ago
|
||
Still no ESR for Fennec
|
|
||
Updated•9 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
|
|
||
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main46+]
|
|
||
Updated•9 years ago
|
Alias: CVE-2016-2813
|
|
Reporter | |
Comment 49•9 years ago
|
||
Thanks everyone for taking action on our reported bug as announced here:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-43/
For a detailed version of our work, the journal version of the paper is freely accessible from:
http://arxiv.org/abs/1602.04115
-Maryam
|
|
||
Updated•8 years ago
|
Group: core-security-release
See Also: → 1436874
|
|
Assignee | |
Updated•4 years ago
|
Flags: needinfo?(toreini)
You need to log in
before you can comment on or make changes to this bug.
Description
•