Closed
Bug 1228997
Opened 8 years ago
Closed 6 years ago
Drag and drop a javascript: URL link into the location bar leads to URL bar spoofing
Categories
(Firefox :: Address Bar, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jordi.chancel, Unassigned)
Details
(Keywords: csectype-spoof, sec-moderate)
User Story
Dropping or pasting URLs into the location bar (in particular data: and javascript: urls, but any) into the location bar should show the beginning of the URL, not the end. We should indicate truncation (front or back) with "..." (or "…" \u2026) or some other marker (an arrow?). The marker should not be part of the URL text though -- we don't want people to select it when trying to copy part of the URL.
Attachments
(3 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:42.0) Gecko/20100101 Firefox/42.0 Build ID: 20151029151421 Steps to reproduce: This issue is similare to http://www.mozilla.org/security/announce/2012/mfsa2012-43.html but on this new vulnerability it's a javascript: URL link which is used. When you drag and drop a big javascript: URL link into the location bar , the end of this link is showed in the location bar and leads to URL Spoofing (view screenshot). this leads to moderate URL spoofing like http://www.mozilla.org/security/announce/2012/mfsa2012-43.html which are similar vulnerabilities . --------- Steps : 1 : Go to the poc remotely (URL: ) 2 : Drag and drop the javascript: URL link into the location bar. 3 : With the onmousedown event with the setTimeout JavaScript function, you can use the alert() JavaScript function or/and change the content of the webpage for leads to the expected result which is to spoof the URL into the Location Bar. Actual results: Location bar is spoofed , end of javascript: URL link is showed. Expected results: End of javascript: URL link is showed (leading to the spoofing of the URL into the Location Bar.
Comment 1•8 years ago
|
||
I can partially confirm this: the end of the dragged link does show in the URL bar. We do not show a lock icon (and if you're on a page that has one we take it away). When I tested it this wasn't particularly convincing because the URL was "e.com_________________" instead of "https://google.com" as intended so there's obviously some variability in fonts, systems, screen density or other things, not even mentioning user customizations (adding/removing icons or changing the theme). We do not execute the javascript: url (anti self-XSS defense), but unlike pasting we do not remove the "javascript:" scheme. We should do the same thing for drag and drop that we do for pasting.
Updated•8 years ago
|
Component: General → Location Bar
Product: Core → Firefox
Comment 2•8 years ago
|
||
I filed bug 1229426 on the drag and drop scheme removal.
Reporter | ||
Comment 3•8 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #1) > I can partially confirm this: the end of the dragged link does show in the > URL bar. We do not show a lock icon (and if you're on a page that has one we > take it away). When I tested it this wasn't particularly convincing because > the URL was "e.com_________________" instead of "https://google.com" as > intended so there's obviously some variability in fonts, systems, screen > density or other things, not even mentioning user customizations > (adding/removing icons or changing the theme). > > We do not execute the javascript: url (anti self-XSS defense), but unlike > pasting we do not remove the "javascript:" scheme. We should do the same > thing for drag and drop that we do for pasting. yes but it's possible to define the window size and so crafted a javascript link with the good size/characters numbers choosen for show the URL https://www.google.com like a convincing URL spoofing. I will craft a new testcase and make a demonstration video for show you that we can use this vulnerability like a convincing URL Spoofing. (and look this bug : https://bugzilla.mozilla.org/show_bug.cgi?id=995739 , this bug have the same impact and uses the same interaction and was defined like sec-moderate in agreement with Curtis Koenig and Matt Wobensmith.
Updated•8 years ago
|
Flags: sec-bounty?
Updated•8 years ago
|
Summary: Drag and drop a javascript: URL link into the location bar leads to URL Spoofing (URL is Spoofed into the Location Bar) (similare to http://www.mozilla.org/security/announce/2012/mfsa2012-43.html ) → Drag and drop a javascript: URL link into the location bar leads to URL Spoofing (URL is Spoofed into the Location Bar)
Updated•8 years ago
|
Summary: Drag and drop a javascript: URL link into the location bar leads to URL Spoofing (URL is Spoofed into the Location Bar) → Drag and drop a javascript: URL link into the location bar leads to URL bar spoofing
Comment 4•8 years ago
|
||
Jordi, we're going to minus this for security bounty unless you can convince us that this is more than a sec-low issue by giving a new testcase and repro steps.
Flags: needinfo?(jordi.chancel)
Summary: Drag and drop a javascript: URL link into the location bar leads to URL bar spoofing → Drag and drop a javascript: URL link into the location bar leads to URL Spoofing (URL is Spoofed into the Location Bar)
Updated•8 years ago
|
Summary: Drag and drop a javascript: URL link into the location bar leads to URL Spoofing (URL is Spoofed into the Location Bar) → Drag and drop a javascript: URL link into the location bar leads to URL bar spoofing
Reporter | ||
Comment 5•8 years ago
|
||
This is the video of the new testcase which leads to a Location Bar Spoofing (URL Spoofing) with a perfect viewing of the spoofed URL into the location bar. In the Mozilla Foundation Security Advisory 2012-43 , the Bug724599 ( https://bugzilla.mozilla.org/show_bug.cgi?id=724599 ) has a severity rating defined: [sec-moderate]. And this Bug uses exactly the same interaction and leads exactly to the same result ( the video demonstration shows the same result and the same interaction than the Bug724599 ).
Flags: needinfo?(jordi.chancel)
Reporter | ||
Comment 6•8 years ago
|
||
(Please read the previous comment : https://bugzilla.mozilla.org/show_bug.cgi?id=1228997#c5 ) This is the new Testcase which leads to a convincing URL Spoofing (Tested on MAC only). Al Billings, are you okay about what I have says and explained in the last comment ?
Flags: needinfo?(abillings)
Updated•8 years ago
|
Flags: needinfo?(abillings) → needinfo?(dveditz)
Updated•8 years ago
|
Attachment #8698485 -
Attachment mime type: application/zip → application/java-archive
Flags: needinfo?(dveditz)
Comment 7•8 years ago
|
||
The improved testcase still didn't work on my Mac. At first not even close to convincing due to a simple URL bar customization (I removed Pocket) but even in a clean profile there was an extra slash before the www.google that was clearly wrong (different system fonts? who knows). We can call it sec-moderate if you like but it's still not what we're looking to give bounties to.
Comment 8•6 years ago
|
||
I couldn't reproduce this problem anymore, asked Gijs and he couldn't reproduce as well. After 2 years we don't have a clear idea of what fixed it, thus resolving as WFM
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•