Closed Bug 1258160 Opened 6 years ago Closed 6 years ago

Address bar spoofing by using open redirection in /errors/error.html

Categories

(Firefox for iOS :: General, defect)

Other
iOS
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1258188

People

(Reporter: sdna.muneaki.nishimura, Unassigned)

References

Details

(Keywords: csectype-spoof, sec-moderate)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.37 Safari/537.36

Steps to reproduce:

Firefox for iOS has an error page (/errors/error.html) that acts as an open redirector endpoint.
http://localhost:6571/errors/error.html?url=nttps://accounts.google.com/

It can be used for address bar spoofing attack with bypassing a protection that was introduced by Bug 1224910.

The following link is a PoC of the issue.
http://mallory.csrf.jp/ios/spoofing3.html


Actual results:

The address bar in a new window shows "nttps://acounts.google.com/" and then "google.com" is highlighted.
But the origin of this window still remains unchanged so the opener can change the document.body.



Expected results:

It should behave as Bug 1224910.
Flags: sec-bounty?
Flags: needinfo?(sarentz)
Agree with sec-moderate. This should be prevented with bug 1263627
Depends on: 1263627
Flags: needinfo?(sarentz)
Flags: sec-bounty? → sec-bounty-
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: sec-bounty- → sec-bounty?
Resolution: --- → DUPLICATE
Duplicate of bug: 1258188
Flags: sec-bounty? → sec-bounty+
Flags: sec-bounty+ → sec-bounty-
Group: firefox-core-security → mobile-core-security
Group: mobile-core-security
You need to log in before you can comment on or make changes to this bug.