Closed
Bug 1279162
Opened 8 years ago
Closed 8 years ago
A click into the arrow/button into the location bar which shows the history can lead to a Location Bar Spoofing vulnerability (URL and SSL Spoofing) using a bigger URL size.
Categories
(Firefox :: Address Bar, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jordi.chancel, Unassigned)
References
()
Details
(Keywords: reporter-external)
Attachments
(2 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:47.0) Gecko/20100101 Firefox/47.0
Build ID: 20160604131506
Steps to reproduce:
(Only tested on Mac OS X).
This Location Bar Spoofing (URl and SSL Spoofing) works with a click on the arrow to show the history into the location bar (view testcase).
Explication:
When an user clicks on this arrow for show the history on a crafted webpage with a big URL address size (eg: http://www.yyy.com/#wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwhttps://www.bank.com/ ), this leads to a possible Location Bar Spoofing (URL & SSL Spoofing).
When an user will click on this button to show the history into the location bar, the end of the URL is shown instead of the start of this URL (so the location bar shows https://www.bank.com instead of http://www.yyy.com/# ).
-A demonstration video will be uploaded.
STR:
1) Open with Firefox "Part1 https.html" (web address into the URL case) and click on the button "Step 1: ClickMe"
(a popup window is opened)
2) Click on the button shown in the image into the webpage in the new Firefox window opened (button/arrow into the location bar to show th history).
Actual results:
The Location Bar is Spoofed and if the Malicious WebSite is secure , this leads to URL And SSL Spoofing.
Expected results:
If an user click on the arrow/button into the location bar to show the history, the end of the URL is shown instead of the start of this URL.
Possible way to patch this vulnerability :
When an user click on the arrow/button to show the history into the location bar , Firefox should continue to show the start of the visited URL instead of the end of this URL.
Reporter | ||
Updated•8 years ago
|
Reporter | ||
Updated•8 years ago
|
Version: 46 Branch → 47 Branch
Reporter | ||
Comment 1•8 years ago
|
||
Video example
Updated•8 years ago
|
Component: General → Location Bar
Product: Core → Firefox
Updated•8 years ago
|
Group: core-security → firefox-core-security
Updated•8 years ago
|
Flags: sec-bounty?
Reporter | ||
Comment 2•8 years ago
|
||
Could you define the severity of this new vulnerability reported please?
Flags: needinfo?(mwobensmith)
Flags: needinfo?(continuation)
Comment 3•8 years ago
|
||
Security bugs are triaged in a regular meeting. Needinfoing people will not get your bug triaged faster. Hopefully by next week this will have a rating assigned.
Flags: needinfo?(mwobensmith)
Flags: needinfo?(continuation)
Comment 4•8 years ago
|
||
I don't see any spoofing with the testcase
Reporter | ||
Comment 5•8 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #4)
> I don't see any spoofing with the testcase
The testcase was tested only with Mac OS X YOSEMITE and Mac OS X El Capitan.
I have again tested the PoC now (1st September 2016 / 2016/09/01 ) (PoC link: https://www.alternativ-testing.fr/Research/Mozilla/~G61S3K-Possible-URL_and_SSL_Spoofing-M8H7D3/Part1%20https.html ) with Firefox 48.0.2 for Mac OS X and the testcase works.
The link of video example : https://www.youtube.com/watch?v=XKNvXodW-8U .
If you tested the PoC on Windows or another OS and the spoofing doesn't work , I think that the testcase works only with Firefox for Mac OS X.
Comment 6•8 years ago
|
||
Using the test link in comment 5 and following the directions, I do not see the spoofing either.
First, when I follow the directions, it asks me to click on the back button. However, this is a new window, and the back button is disabled due to lack of history. So, nothing happens when I click that button. However, if I click in the location bar, the page renavigates, and I see an alert window plus phishing page. The URL bar is still not spoofed, however. See image.
I'm on Mac, for what it's worth.
Comment 7•8 years ago
|
||
We have been unable to reproduce this issue. FWIW my test machine meets all the criteria of comment 5.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → WORKSFORME
Updated•7 years ago
|
Group: firefox-core-security
Updated•5 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•