Closed Bug 1284372 (CVE-2016-5267) Opened 4 years ago Closed 4 years ago

Firefox Mobile Address Bar Spoofing


(Firefox for Android :: General, defect)

50 Branch
Not set



Firefox 50
Tracking Status
firefox47 --- wontfix
firefox48 + verified
firefox49 + verified
fennec 48+ ---
firefox50 + verified


(Reporter: rbsoulhunter17, Assigned: sebastian)



(Keywords: csectype-spoof, sec-moderate, Whiteboard: [adv-main48+])


(5 files)

Attached image spoofed1.png
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Firefox for Android

Steps to reproduce:

- Visit - using latest version of Firefox Mobile 
- Click on the link and observe the URL 

Actual results:

Due to mishandling of arabic RTL characters firefox for mobile causes the complete URL to be displayed from Right to left instead of left to right. 

Expected results:

The URL should be been displayed from LTR:

Expected Result:


Rendered Resultsعربي.امارات

This is perfectly fine on firefox for mobile
Attached image spoof2.png
Component: Untriaged → General
Product: Firefox → Firefox for Android
Version: unspecified → 50 Branch
Correction: This is perfectly fine on firefox for mobile


Correction: This is perfectly fine on Firefox Desktop Version.
Confirmed this behavior. Using the jsfiddle you need to long press and select open in new tab. NI to Margaret for an assignee.
tracking-fennec: --- → ?
Ever confirmed: true
Flags: needinfo?(margaret.leibovic)
Sebastian, can you look into this?
Assignee: nobody → s.kaspari
Flags: needinfo?(margaret.leibovic) → needinfo?(s.kaspari)
Flags: needinfo?(s.kaspari)
The same thing is happening in Chrome but as they are "scrolling" the URL (a variation of bug 1271998) and as their layout actually seems to support RTL it's not looking like a different domain.

I guess the correct solution would be to properly support RTL (at least in the toolbar): meta bug 702845.

In the short term we could try to force LTR. This will display the URL as expected in comment 0.
Attachment #8768373 - Flags: review?(margaret.leibovic)
Yes, LTR should be properly enforced and all URL's must always be displayed from Left-To-Right no matter what the direction of the content maybe, However, what needs to looked is if it won't cause any issues with appearance of RTL URL's.
Comment on attachment 8768373 [details] [diff] [review]

@Grisha: Can you take a look? :)
Attachment #8768373 - Flags: review?(margaret.leibovic) → review?(gkruglov)
tracking-fennec: ? → 48+
Comment on attachment 8768373 [details] [diff] [review]

Review of attachment 8768373 [details] [diff] [review]:

This looks fine. I don't know much about unicode directionality stuff; but, since you're adding a public method to StringUtils for forcing LTR, I'll ask: would that approach (appending a special char) work generally, outside of this specific usecase? e.g. can I pass in an already LTR string into it, and safely use/render/edit/etc result afterwards? Perhaps that method should assert that its input is RTL.
Attachment #8768373 - Flags: review?(gkruglov) → review+
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 50
Flags: sec-bounty?
Rafay, please don't set sec-bounty? on your bugs. The procedure is to email and ask to be considered for bounties. See under "Claiming a bounty".
Tracking 50+ for this security fix.
Flags: sec-bounty? → sec-bounty+
Comment on attachment 8768373 [details] [diff] [review]

This should be fairly easy to uplift.

Approval Request Comment

[Feature/regressing bug #]: All versions are affected. This might have been the case since the beginning of time.

[User impact if declined]: See screenshot in comment 0. We display some parts of a specifically crafted URLs in an unexpected order. This can be used to make you think you are browsing a different domain than you actually are.

[Describe test coverage new/current, TreeHerder]: Local testing and this is now in Nightly since a couple of days.

[Risks and why]: Lowish. We prepend (RTL) URLs with a control character that forces the view to display it like a LTR string. I can't think of any side effects because at this point this string is only used for displaying (not editing) the URL.

[String/UUID change made/needed]: -
Attachment #8768373 - Flags: approval-mozilla-beta?
Attachment #8768373 - Flags: approval-mozilla-aurora?
Group: firefox-core-security → core-security-release
Comment on attachment 8768373 [details] [diff] [review]

OK, fix this issue. Taking it.
Should be in 48 beta 8 or 9.

Ioana, could you verify this? Thanks
Attachment #8768373 - Flags: approval-mozilla-beta?
Attachment #8768373 - Flags: approval-mozilla-beta+
Attachment #8768373 - Flags: approval-mozilla-aurora?
Attachment #8768373 - Flags: approval-mozilla-aurora+
Flags: qe-verify+
Flags: needinfo?(ioana.chiorean)
Flags: needinfo?(ioana.chiorean)
Verified as fixed on all branches(48.0b9, Aurora 49.0a2/2016-07-18 and Nightly
50.0a1/2016-07-18) on a Samsung Galaxy S6 Edge (Android 6.0.1) and on a Samsung Galaxy Tab S2(Android 5.0.2)
Alias: CVE-2016-5267
Whiteboard: [adv-main48+]
Duplicate of this bug: 1295674
Group: core-security-release
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.