Closed Bug 1224906 Opened 10 years ago Closed 10 years ago

Address bar spoofing by userinfo field of URI

Categories

(Firefox for iOS :: General, defect)

Product:
Firefox for iOS
Component:
General
Platform:
All
iOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
fxios 1.3+ ---

People

(Reporter: sdna.muneaki.nishimura, Assigned: fluffyemily)

Details

(Keywords: csectype-spoof, reporter-external, sec-moderate)

Attachments

(3 files)

screenshot
31.32 KB, image/png
Details
Test result on Safari for iOS
81.64 KB, image/png
Details
Pull request
48 bytes, text/x-github-pull-request
st3fan
: review+
Details | Review
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.58 Safari/537.36 Steps to reproduce: Click following link by Firefox for iOS. <a href="https://accounts.google.com%00%00%00%00%00%00@mallory.csrf.jp:8020">Launch Fake Google</a> Actual results: The URL shown in the location bar is "https://accounts.google.com%.." but the current page is "mallory.csrf.jp:8020". Expected results: The userinfo field in URI should be removed and current host name "mallory.csrf.jp:8020" should be shown in the location bar.
Attached image screenshot
I made a PoC as follows and the attached is a screenshot when reproduced. https://mallory.csrf.jp/ios/spoofing.html
Not sure if the iOS version is part of the bounty program but nominating all the same
Flags: sec-bounty?
tracking-fxios: --- → ?
Hardware: Other → All
Does this reproduce on Safari for iOS?
Flags: needinfo?(sdna.muneaki.nishimura)
Keywords: sec-low
It's not reproducible on Safari for iOS. When navigated to a URL with userinfo Safari blocks the loading and shows phishing site alert window as attached.
Flags: needinfo?(sdna.muneaki.nishimura)
We should not be showing userinfo in the URL bar, this was a very old phishing technique. (search for old firefox security bugs about that). Even if we stop showing the userinfo, though, the restricted space allows for spoofing of the form "accounts.google.com.not.really.but.you.cant.see.this.com". Not sure what to do about that.
Keywords: sec-lowcsectype-spoof, sec-moderate
Assignee: nobody → etoop
Status: NEW → ASSIGNED
Confirmed this is a bug that we will fix in Firefox.
Attached file Pull request
Removes user info from the URL bar
Attachment #8691889 - Flags: review?(sarentz)
Comment on attachment 8691889 [details] [review] Pull request LGTM
Attachment #8691889 - Flags: review?(sarentz) → review+
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Which release are we tracking this for? 1.3 or 1.4?
I think this one is a 1.3 release as it's a security bug, but double check with :st3fan
(In reply to Daniel Veditz [:dveditz] from comment #5) > Even if we stop showing the userinfo, though, the restricted space allows > for spoofing of the form > "accounts.google.com.not.really.but.you.cant.see.this.com". Not sure what to > do about that. We do show all domain segments other than the baseDomain in grey. We ellipsize the end of the URL. So that would show as [grey]https://accounts.google.com.net.real…[/grey] which might be enough to tickle a user's spidey sense. On a big iPad it'd be [grey]https://accounts.google.com.net.really.but.you.cant.see.[/grey][black]this.com[/black]
(In reply to Stephan Leroux [:sleroux] from comment #9) > Which release are we tracking this for? 1.3 or 1.4? It's tracking 1.3. If a patch is done, tested, and landed, we should uplift it to v1.x.
Whiteboard: [needs uplift]
Flags: sec-bounty? → sec-bounty+
Whiteboard: [needs uplift] → [needsuplift]
v1.x 7193960
Whiteboard: [needsuplift]
Group: firefox-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: