1305208 - Background application can steal arbitrary web contents through reader-mode

Status: RESOLVED FIXED

(Firefox for iOS :: Reader View, defect, P1)

Description

[Muneaki Nishimura]

Attachment: steal.html

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50

Steps to reproduce:

Reader-mode in Firefox for iOS is hosted on a local web server and readerized web pages can be accessed through following URL.
http://localhost:6571/reader-mode/page?url=https://blog.mozilla.org/security/

This local server runs while in foreground but then background application can access it too.
This means that it can be used for stealing user private web contents from other application.

If you run Firefox for iOS on a Similator on macOS you can reproduce an attack scenario like this.
1) Log in to Github by Firefox for iOS on Simulator
2) Launch terminal application on macOS.
3) Execute "curl http://localhost:6571/reader-mode/page?url=https://github.com/notifications" twice
4) The curl response may contain your private Github notification messages

If you want to reproduce an attack scenario on your device, you need to install an application that implements similar logic to the above.

You can also reproduce it by using "Mercury Browser" application like this.

1) Log in to Facebook on Firefox for iOS
2) Install Mercury Browser on your iOS device
3) Send "steal.html" to your device as an e-mail attachment
4 [review]) Open steal.html by Mercury Browser
5) Push the button in steal.html
6) You can see your Facebook contents on Mercury Browser though you've never log in to Facebook on Mercury

The following URL is a video I reproduced these steps on my iPhone.
https://drive.google.com/open?id=0Bw1n4kKdVB6SQklMMEFmRnZVOXc



Actual results:

See above.


Expected results:

Readerized pages should not be accessed from other application.

Comment 1

[Daniel Veditz [:dveditz]]

Brian: we need to get this fixed ASAP. How can we get this on the release trains for iOS?

Comment 2

[Brian Nicholson (:bnicholson)]

This sounds bad, and seems to conflict with the expected behavior described here: https://bugzilla.mozilla.org/show_bug.cgi?id=1201592#c4.

I flagged this as tracking-fxios=?, so this will come up during our next iOS triage on Tuesday.

Comment 3

[Al Billings [:abillings - ex-MoCo]]

Brian, any update here?

Comment 4

[Brian Nicholson (:bnicholson)]

Looks like our triage query doesn't include security bugs, but I'll mark this as 6+ and P1. It'll be fixed by the next release (6.0).

Comment 5

[Brian Nicholson (:bnicholson)]

Attachment: Link to Github pull-request: https://github.com/mozilla-mobile/firefox-ios/pull/2240

I'm disappointed we didn't realize this sooner.

Comment 6

[Brian Nicholson (:bnicholson)]

Unfortunately, this fix does nothing to solve the related and even worse bug 1318155.

Comment 7

[Brian Nicholson (:bnicholson)]

dveditz pointed out that bug 1318155 isn't actually a big concern since it requires that a malicious app be installed, whereas this exploit can be triggered from arbitrary content in a third-party browser. I think this fix should be good enough for 6.0.

Comment 8

[Brian Nicholson (:bnicholson)]

https://github.com/mozilla-mobile/firefox-ios/commit/ff1e0b9a37099c67027618ce58cc5365a1e79d5d

Comment 9

[Brian Nicholson (:bnicholson)]

v6.x: ac52599