Closed
Bug 1258160
Opened 9 years ago
Closed 9 years ago
Address bar spoofing by using open redirection in /errors/error.html
Categories
(Firefox for iOS :: General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1258188
People
(Reporter: sdna.muneaki.nishimura, Unassigned)
References
Details
(Keywords: csectype-spoof, reporter-external, sec-moderate)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.37 Safari/537.36
Steps to reproduce:
Firefox for iOS has an error page (/errors/error.html) that acts as an open redirector endpoint.
http://localhost:6571/errors/error.html?url=nttps://accounts.google.com/
It can be used for address bar spoofing attack with bypassing a protection that was introduced by Bug 1224910.
The following link is a PoC of the issue.
http://mallory.csrf.jp/ios/spoofing3.html
Actual results:
The address bar in a new window shows "nttps://acounts.google.com/" and then "google.com" is highlighted.
But the origin of this window still remains unchanged so the opener can change the document.body.
Expected results:
It should behave as Bug 1224910.
|
||
Updated•9 years ago
|
Flags: sec-bounty?
|
||
Updated•9 years ago
|
Flags: needinfo?(sarentz)
|
|
||
Updated•9 years ago
|
|
||
Comment 1•9 years ago
|
||
Agree with sec-moderate. This should be prevented with bug 1263627
Depends on: 1263627
Flags: needinfo?(sarentz)
|
|
||
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: sec-bounty- → sec-bounty?
Resolution: --- → DUPLICATE
|
|
||
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•9 years ago
|
Flags: sec-bounty+ → sec-bounty-
|
|
||
Updated•6 years ago
|
Group: firefox-core-security → mobile-core-security
|
|
||
Updated•6 years ago
|
Group: mobile-core-security
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•