Closed Bug 1279162 Opened 8 years ago Closed 8 years ago

A click into the arrow/button into the location bar which shows the history can lead to a Location Bar Spoofing vulnerability (URL and SSL Spoofing) using a bigger URL size.

Categories

(Firefox :: Address Bar, defect)

47 Branch
defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: jordi.chancel, Unassigned)

References

()

Details

(Keywords: reporter-external)

Attachments

(2 files)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:47.0) Gecko/20100101 Firefox/47.0 Build ID: 20160604131506 Steps to reproduce: (Only tested on Mac OS X). This Location Bar Spoofing (URl and SSL Spoofing) works with a click on the arrow to show the history into the location bar (view testcase). Explication: When an user clicks on this arrow for show the history on a crafted webpage with a big URL address size (eg: http://www.yyy.com/#wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwhttps://www.bank.com/ ), this leads to a possible Location Bar Spoofing (URL & SSL Spoofing). When an user will click on this button to show the history into the location bar, the end of the URL is shown instead of the start of this URL (so the location bar shows https://www.bank.com instead of http://www.yyy.com/# ). -A demonstration video will be uploaded. STR: 1) Open with Firefox "Part1 https.html" (web address into the URL case) and click on the button "Step 1: ClickMe" (a popup window is opened) 2) Click on the button shown in the image into the webpage in the new Firefox window opened (button/arrow into the location bar to show th history). Actual results: The Location Bar is Spoofed and if the Malicious WebSite is secure , this leads to URL And SSL Spoofing. Expected results: If an user click on the arrow/button into the location bar to show the history, the end of the URL is shown instead of the start of this URL. Possible way to patch this vulnerability : When an user click on the arrow/button to show the history into the location bar , Firefox should continue to show the start of the visited URL instead of the end of this URL.
Version: 46 Branch → 47 Branch
Component: General → Location Bar
Product: Core → Firefox
Group: core-security → firefox-core-security
Flags: sec-bounty?
Could you define the severity of this new vulnerability reported please?
Flags: needinfo?(mwobensmith)
Flags: needinfo?(continuation)
Security bugs are triaged in a regular meeting. Needinfoing people will not get your bug triaged faster. Hopefully by next week this will have a rating assigned.
Flags: needinfo?(mwobensmith)
Flags: needinfo?(continuation)
I don't see any spoofing with the testcase
(In reply to Daniel Veditz [:dveditz] from comment #4) > I don't see any spoofing with the testcase The testcase was tested only with Mac OS X YOSEMITE and Mac OS X El Capitan. I have again tested the PoC now (1st September 2016 / 2016/09/01 ) (PoC link: https://www.alternativ-testing.fr/Research/Mozilla/~G61S3K-Possible-URL_and_SSL_Spoofing-M8H7D3/Part1%20https.html ) with Firefox 48.0.2 for Mac OS X and the testcase works. The link of video example : https://www.youtube.com/watch?v=XKNvXodW-8U . If you tested the PoC on Windows or another OS and the spoofing doesn't work , I think that the testcase works only with Firefox for Mac OS X.
Attached image Results
Using the test link in comment 5 and following the directions, I do not see the spoofing either. First, when I follow the directions, it asks me to click on the back button. However, this is a new window, and the back button is disabled due to lack of history. So, nothing happens when I click that button. However, if I click in the location bar, the page renavigates, and I see an alert window plus phishing page. The URL bar is still not spoofed, however. See image. I'm on Mac, for what it's worth.
We have been unable to reproduce this issue. FWIW my test machine meets all the criteria of comment 5.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → WORKSFORME
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: