Closed
Bug 1224906
Opened 9 years ago
Closed 9 years ago
Address bar spoofing by userinfo field of URI
Categories
(Firefox for iOS :: General, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
fxios | 1.3+ | --- |
People
(Reporter: sdna.muneaki.nishimura, Assigned: fluffyemily)
Details
(Keywords: csectype-spoof, sec-moderate)
Attachments
(3 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.58 Safari/537.36 Steps to reproduce: Click following link by Firefox for iOS. <a href="https://accounts.google.com%00%00%00%00%00%00@mallory.csrf.jp:8020">Launch Fake Google</a> Actual results: The URL shown in the location bar is "https://accounts.google.com%.." but the current page is "mallory.csrf.jp:8020". Expected results: The userinfo field in URI should be removed and current host name "mallory.csrf.jp:8020" should be shown in the location bar.
Reporter | ||
Comment 1•9 years ago
|
||
I made a PoC as follows and the attached is a screenshot when reproduced. https://mallory.csrf.jp/ios/spoofing.html
Comment 2•9 years ago
|
||
Not sure if the iOS version is part of the bounty program but nominating all the same
Flags: sec-bounty?
Updated•9 years ago
|
tracking-fxios:
--- → ?
Hardware: Other → All
Updated•9 years ago
|
Comment 3•9 years ago
|
||
Does this reproduce on Safari for iOS?
Flags: needinfo?(sdna.muneaki.nishimura)
Keywords: sec-low
Reporter | ||
Comment 4•9 years ago
|
||
It's not reproducible on Safari for iOS. When navigated to a URL with userinfo Safari blocks the loading and shows phishing site alert window as attached.
Flags: needinfo?(sdna.muneaki.nishimura)
Comment 5•9 years ago
|
||
We should not be showing userinfo in the URL bar, this was a very old phishing technique. (search for old firefox security bugs about that). Even if we stop showing the userinfo, though, the restricted space allows for spoofing of the form "accounts.google.com.not.really.but.you.cant.see.this.com". Not sure what to do about that.
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → etoop
Status: NEW → ASSIGNED
Comment 6•9 years ago
|
||
Confirmed this is a bug that we will fix in Firefox.
Assignee | ||
Comment 7•9 years ago
|
||
Removes user info from the URL bar
Attachment #8691889 -
Flags: review?(sarentz)
Comment 8•9 years ago
|
||
Comment on attachment 8691889 [details] [review] Pull request LGTM
Attachment #8691889 -
Flags: review?(sarentz) → review+
Assignee | ||
Updated•9 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Comment 9•9 years ago
|
||
Which release are we tracking this for? 1.3 or 1.4?
Assignee | ||
Comment 10•9 years ago
|
||
I think this one is a 1.3 release as it's a security bug, but double check with :st3fan
Comment 11•9 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #5) > Even if we stop showing the userinfo, though, the restricted space allows > for spoofing of the form > "accounts.google.com.not.really.but.you.cant.see.this.com". Not sure what to > do about that. We do show all domain segments other than the baseDomain in grey. We ellipsize the end of the URL. So that would show as [grey]https://accounts.google.com.net.real…[/grey] which might be enough to tickle a user's spidey sense. On a big iPad it'd be [grey]https://accounts.google.com.net.really.but.you.cant.see.[/grey][black]this.com[/black]
Comment 12•9 years ago
|
||
(In reply to Stephan Leroux [:sleroux] from comment #9) > Which release are we tracking this for? 1.3 or 1.4? It's tracking 1.3. If a patch is done, tested, and landed, we should uplift it to v1.x.
Whiteboard: [needs uplift]
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
Updated•9 years ago
|
Whiteboard: [needs uplift] → [needsuplift]
Updated•9 years ago
|
Group: firefox-core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•