Closed Bug 1224906 Opened 4 years ago Closed 4 years ago

Address bar spoofing by userinfo field of URI

Categories

(Firefox for iOS :: General, defect)

All
iOS
defect
Not set

Tracking

()

RESOLVED FIXED
Tracking Status
fxios 1.3+ ---

People

(Reporter: sdna.muneaki.nishimura, Assigned: fluffyemily)

Details

(Keywords: csectype-spoof, sec-moderate)

Attachments

(3 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.58 Safari/537.36

Steps to reproduce:

Click following link by Firefox for iOS.
<a href="https://accounts.google.com%00%00%00%00%00%00@mallory.csrf.jp:8020">Launch Fake Google</a>



Actual results:

The URL shown in the location bar is "https://accounts.google.com%.." but the current page is "mallory.csrf.jp:8020".



Expected results:

The userinfo field in URI should be removed and current host name "mallory.csrf.jp:8020" should be shown in the location bar.
Attached image screenshot
I made a PoC as follows and the attached is a screenshot when reproduced.
https://mallory.csrf.jp/ios/spoofing.html
Not sure if the iOS version is part of the bounty program but nominating all the same
Flags: sec-bounty?
tracking-fxios: --- → ?
Hardware: Other → All
Does this reproduce on Safari for iOS?
Flags: needinfo?(sdna.muneaki.nishimura)
Keywords: sec-low
It's not reproducible on Safari for iOS.
When navigated to a URL with userinfo Safari blocks the loading and shows phishing site alert window as attached.
Flags: needinfo?(sdna.muneaki.nishimura)
We should not be showing userinfo in the URL bar, this was a very old phishing technique. (search for old firefox security bugs about that).

Even if we stop showing the userinfo, though, the restricted space allows for spoofing of the form "accounts.google.com.not.really.but.you.cant.see.this.com". Not sure what to do about that.
Assignee: nobody → etoop
Status: NEW → ASSIGNED
Confirmed this is a bug that we will fix in Firefox.
Attached file Pull request
Removes user info from the URL bar
Attachment #8691889 - Flags: review?(sarentz)
Comment on attachment 8691889 [details] [review]
Pull request

LGTM
Attachment #8691889 - Flags: review?(sarentz) → review+
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Which release are we tracking this for? 1.3 or 1.4?
I think this one is a 1.3 release as it's a security bug, but double check with :st3fan
(In reply to Daniel Veditz [:dveditz] from comment #5)

> Even if we stop showing the userinfo, though, the restricted space allows
> for spoofing of the form
> "accounts.google.com.not.really.but.you.cant.see.this.com". Not sure what to
> do about that.

We do show all domain segments other than the baseDomain in grey. We ellipsize the end of the URL. So that would show as

[grey]https://accounts.google.com.net.real…[/grey]

which might be enough to tickle a user's spidey sense. On a big iPad it'd be


[grey]https://accounts.google.com.net.really.but.you.cant.see.[/grey][black]this.com[/black]
(In reply to Stephan Leroux [:sleroux] from comment #9)
> Which release are we tracking this for? 1.3 or 1.4?

It's tracking 1.3. If a patch is done, tested, and landed, we should uplift it to v1.x.
Whiteboard: [needs uplift]
Flags: sec-bounty? → sec-bounty+
Whiteboard: [needs uplift] → [needsuplift]
v1.x 7193960
Whiteboard: [needsuplift]
Group: firefox-core-security → core-security-release
Group: core-security-release
Duplicate of this bug: 1288323
You need to log in before you can comment on or make changes to this bug.