Closed Bug 1290714 Opened 8 years ago Closed 6 years ago

Localhost navigation bypass and address bar spoofing bugs in reader-mode

Categories

(Firefox for iOS :: Reader View, defect, P3)

Product:
Firefox for iOS
Component:
Reader View
Platform:
Other
iOS
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
fxios 10.0 ---

People

(Reporter: sdna.muneaki.nishimura, Unassigned)

References

Details

(Keywords: sec-moderate) 

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36

Steps to reproduce:

1. Open http://mallory.csrf.jp/ios/spoofing5.html.
2. Tap the 2nd link in the page by any browser on your iOS device.



Actual results:

Reader-mode screen is show in Firefox for iOS and address bar shows https://foobarbaz.slack.com@slack-redir.com/link?url=https://threatpost.com...

This behavior has following three security problems.
1. Reader-mode hosted on http://localhost:6571 can be opened though it has been blocked due to Bug 1281204.
2. URL in address bar shows authinfo part in front of host name (e.g., foobarbaz.slack.com@) though it is prohibited due to Bug 1224906
3. URL in address bar shows 30x redirector URL but not the final URL that provides web contents to WKWebView


Expected results:

1. Localhost navigation should be blocked even through firefox: URL
2. Address bar should not show the authinfo part of URL
3. Address bar should show the final URL but not the 30x redirector URL
Flags: sec-bounty?
This sounds like multiple bugs to be addressed.

For security purposes, none of them successfully spoof the address bar in a way that will attack a victim's web site, hence the rating.
Keywords: sec-low
There are 3 bugs in this ticket so please devide it into some other tickets if needed.

One of the bug is localhost access bypass with firefox: scheme.
I think it would be more higher severity because it allows any applications to access chrome: features on Firefox that is hosted on http://localhost:6571.
For example, error screen on Firefox still has an open redirect bug but it cannot be exploited due to localhost access blocking.
However if you use this bug you can exploit it from other applications e.g., Safari like below.

firefox://?url=http://localhost:6571/errors/error.html?url=http://a.csrf.jp/
(In reply to Muneaki Nishimura from comment #2)
> There are 3 bugs in this ticket so please devide it into some other tickets
> if needed.

We would ask you to log each of these bugs independently (so as to keep each bug to a single issue) if they are not from the same root issue.
Hi, I divided it into following 3 tickets.
Bug 1293066 : firefox: URL scheme bypasses localhost navigation blocking
Bug 1293068 : Address bar spoofing with authinfo in front of URL in reader-view
Bug 1293070 : Address bar spoofing with 30x redirect in reader-view
It looks like none of the 3 issues remained here in this bug so I'm closing it in favor of the others. arbitrarily picking the first one to dupe this to.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → DUPLICATE
Status: RESOLVED → REOPENED
Depends on: 1293066, 1293038
Flags: sec-bounty- → sec-bounty+
Keywords: sec-lowsec-moderate
Resolution: DUPLICATE → ---
Depends on: 1293068
No longer depends on: 1293038
Make sense to address this for the 5.2 release?
tracking-fxios: ?5.2+
Flags: needinfo?(bnicholson)
Seems like a good idea to me. I'll flag the three individual bugs mentioned in comment 4 since this one is more of a meta bug describing the combined attack.
Flags: needinfo?(bnicholson)
We have since re-implemented much of our deep-linking code and this bug is no longer reproducible.
Status: REOPENED → RESOLVED
Closed: 8 years ago6 years ago
Resolution: --- → WORKSFORME
Group: firefox-core-security → mobile-core-security
Group: mobile-core-security
You need to log in before you can comment on or make changes to this bug.