Closed Bug 1258160 Opened 6 years ago Closed 6 years ago
Address bar spoofing by using open redirection in /errors/error
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.37 Safari/537.36 Steps to reproduce: Firefox for iOS has an error page (/errors/error.html) that acts as an open redirector endpoint. http://localhost:6571/errors/error.html?url=nttps://accounts.google.com/ It can be used for address bar spoofing attack with bypassing a protection that was introduced by Bug 1224910. The following link is a PoC of the issue. http://mallory.csrf.jp/ios/spoofing3.html Actual results: The address bar in a new window shows "nttps://acounts.google.com/" and then "google.com" is highlighted. But the origin of this window still remains unchanged so the opener can change the document.body. Expected results: It should behave as Bug 1224910.
Agree with sec-moderate. This should be prevented with bug 1263627
Depends on: 1263627
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: sec-bounty- → sec-bounty?
Resolution: --- → DUPLICATE
Duplicate of bug: 1258188
You need to log in before you can comment on or make changes to this bug.