Closed
Bug 1288323
Opened 8 years ago
Closed 6 years ago
Address Bar Spoofing in Firefox iOS Application with userinfo@domain
Categories
(Firefox for iOS :: Menu and Toolbar, defect)
Firefox for iOS
Menu and Toolbar
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: mishra.dhiraj95, Unassigned)
References
()
Details
(Keywords: csectype-spoof, sec-low, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(1 file)
179.12 KB,
application/zip
|
Details |
Hello Sir , I am able to spoof or change the DNS in Firefox browser in iOS Apple iPhone 6 , I am able to spoof the whole DNS just by using @ in browser. Example : https://google.com@fb.com , this actually redirects to fb.com rather than going to google. Just by using @ symbol , an attacker may spoof the address bar , Similarly if i change to any other domain like, https://bing.com@yahoo.com , this will redirect to yahoo.com rather than bing.com , well mozilla have a countermeasure for this bug in Window's System , Android System when we try to do this same thing in different OS like windows7 and android platform mozilla gives a popup with a note written in it : You are about to log in to the site "google.com" with the username "facebook%2Ecom", but the website does not require authentication. This may be an attempt to trick you. Is "google.com" the site you want to visit? but not in iOS platform , an attacker will simply redirect it to any malicious website. Business Impact: An attacker can send a URL containing payload which will redirect victim to the attacker’s controlled malicious website. The end user may be subjected to a phishing attack and as well as cookie stealing by being redirected to an untrusted page. The later attack is more convincing than the traditional phishing attack because the generated URL will point to any website like example.com and not to look-alike domain name. Please have a look on the attached POC down below , i have given my iPhone model number and steps for above scenario. I would be really happy to hear from the team.
Flags: sec-bounty?
Comment 1•8 years ago
|
||
Dhiraj: Thank you for your report, I have confirmed this behavior on an instance of FireFox for iOS. Should have someone from the FireFox iOS team shortly to comment.
Updated•8 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 2•8 years ago
|
||
bnicholson/st3fan: Can you have a look at this one?
Flags: needinfo?(sarentz)
Flags: needinfo?(bnicholson)
Comment 3•8 years ago
|
||
I think this should be under Firefox for Android -> Awesomescreen; that's where I've had similar bugs before. Want me to move it?
Reporter | ||
Comment 4•8 years ago
|
||
@Jonathan , Thank you very much , i ll be waiting , any other queries please let me know. Thank You
Comment 5•8 years ago
|
||
It looks like the problem is not specifically allowing urls like https://user:password@site.com .. those are legit and must be supported. The problem is that we don't have UI to make it clear that this is potentially an attach. If Android does the right thing in this area, then we can certainly aim for parity. There is one thing I don't understand from the report: it mentiones redirecting and cookie stealing. But is that really the case? Because if I tell the browser to go to http://facebook.com@evil.com, the load will most certainly happen on evil.com without a redirect. And there is no way facebook.com is in play at all. Evil.com could *look* like facebook.com, but I don't think there is a connection to the hostname that is put in the username part of the URL.
Flags: needinfo?(sarentz)
Updated•8 years ago
|
Flags: needinfo?(mishra.dhiraj95)
Comment 6•8 years ago
|
||
Oh right, I didn't see that this was for iOS. My bad! Note that this isn't an embedded Safari issue either; if you attempt to do the same thing on Safari, it will warn you that it is a possible phishing site. The report is definitely incorrect with regards to redirecting and cookie stealing -- you can't really do either of those things. It's more of a phishing concern, as Safari iOS correctly identifies.
Group: websites-security → firefox-core-security
Component: Other → Menu and Toolbar
Product: Websites → Firefox for iOS
Comment 7•8 years ago
|
||
Got my old Android phone charged enough to boot it up and see the behavior there: it appears that the Android version of Firefox does handle this properly.
Reporter | ||
Comment 8•8 years ago
|
||
Yes ! the browser is allowing an attacker to do phishing , as the application of Mozilla in Android and windows system gives a warn , popup that specific thing is being missed out over here. Hence forth in iOS , mozilla allows attacker to take advantage just by using '@' , it can also be used in browser based exploitation with the help of BeeF using [hook.js]. Ex : https://example.com@evil.com
Comment hidden (off-topic) |
Comment hidden (off-topic) |
Comment hidden (off-topic) |
Comment hidden (off-topic) |
Comment hidden (off-topic) |
Comment hidden (off-topic) |
Comment 15•8 years ago
|
||
This is more of a spoofing issue -- the user has to believe the link (which can be spoofed in other ways) and then not check the destination URL. This is mostly a problem in phishing emails where links can't have scripted on-click handlers, but on iOS we can't be the default browser to handle links from an email app so this is not an effective phishing strategy anymore.
Flags: sec-bounty? → sec-bounty-
Reporter | ||
Comment 16•8 years ago
|
||
Yes ! :dveditz this can be used in on-click handlers , as far Firefox is not a default browser in iOS still people uses Mozilla , and at that time it may cause and issue to an end user. Thank you for correcting and verifying.
Comment 17•8 years ago
|
||
Hopefully someone can take a look at this within the next week,
Flags: needinfo?(bnicholson)
Comment hidden (off-topic) |
Comment 20•8 years ago
|
||
Per bug 1288323 this also applies to Focus.
Comment 21•8 years ago
|
||
(In reply to :Gijs Kruitbosch from comment #20) > Per bug 1288323 this also applies to Focus. Eh, bug 1318834.
Comment 22•8 years ago
|
||
bug 1318897 suggests this is fixed on Firefox for iOS and still broken on Focus - so maybe this should be closed, and bug 1318897 duped to bug 1318834? April, can you update these 3 bugs? Thanks.
Flags: needinfo?(april)
Comment 23•8 years ago
|
||
:Gijs, I just triaged the bug, but I don't have anything to do with the products at all. It should probably be someone from the Firefox iOS team that closes it out. Note that I don't have access to bug 1318897 (because it's not my team), so I don't really have any insight into whether it has been fixed or not.
Flags: needinfo?(april)
Comment 24•8 years ago
|
||
(In reply to April King [:April] from comment #23) > :Gijs, I just triaged the bug, but I don't have anything to do with the > products at all. It should probably be someone from the Firefox iOS team > that closes it out. Note that I don't have access to bug 1318897 (because > it's not my team), so I don't really have any insight into whether it has > been fixed or not. Hopefully Brian can help.
Flags: needinfo?(bnicholson)
Comment 25•8 years ago
|
||
Reading comment 0, I think this bug is about spoofing links *before* visiting the actual page; e.g., http://google.com@evil.com. As Gijs mentioned, we've already fixed the spoofing issue when the user actually visits that page (bug 1224906), though I think that's a different bug. I agree with comment 15 -- we aren't the default browser, so it'll be pretty difficult to trick the user with this method. That said, we should probably still have some kind of dialog or warning, so I'll leave this open.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(bnicholson)
Resolution: --- → DUPLICATE
Comment hidden (off-topic) |
Reporter | ||
Comment 27•8 years ago
|
||
Hey Brian , Any update on this bug. Thank you
Flags: needinfo?(bnicholson)
Comment 28•7 years ago
|
||
No, this isn't a high priority at the moment. As mentioned above, this bug will be updated whenever we decide to work on this. No need to ping anyone.
Flags: needinfo?(bnicholson)
Updated•7 years ago
|
Summary: Address Bar Spoofing in Firefox iOS Application. → Address Bar Spoofing in Firefox iOS Application with userinfo@domain
Reporter | ||
Comment 31•7 years ago
|
||
Hi Team, Any update on the above issue, request you to please let me know
Comment 32•6 years ago
|
||
This is no longer an issue. When the URL is entered, we replace the contents of the address bar with the URL of the page returned from the server. This removes any extraneous leading `otherdomain.com@...`.
Status: REOPENED → RESOLVED
Closed: 8 years ago → 6 years ago
Resolution: --- → WORKSFORME
Updated•5 years ago
|
Group: firefox-core-security → mobile-core-security
Updated•5 years ago
|
Group: mobile-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•