1312145 - DOS by opening multiple mailto windows

Status: RESOLVED DUPLICATE of bug 167475

(Firefox :: Untriaged, defect)

Description

[Ahmed Mehtab]

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36

Steps to reproduce:

 At the very first let me make it clear that this bug affects almost all the versions including Windows Based and also firefox for android too however IOS was not tested it could also be vulnerable too. This is a logical Security Issue in firefox which can lead to freezing and other possible exploitation's.

We have seen that all the major browsers including firefox have builtin feature of hyperlinking email address so their users can click on it and can send emails directly such as example "mailto:mail@securityfuse.com" As we also know we use " mailto: " in address bar along with email which gives us opportunity to send email via our selected application. 

But attacker can take its miss-use and can lead a normal user to crash or freezing of firefox on both desktops and android.

1- On Desktop:
we will simply write a javascript code which will redirect the user to " mailto:mail@securityfuse.com " and after it will refresh the itself i.e the webpage in a very short interval of time of " 1 millisecond " but if we will do this on remote server it will slow down the process so As We also know that because of Data URI scheme user is allowed to execute html and java-scripts on web-browser directly by executing it on address bar so we will execute that code of javascript via data uri scheme on address bar. Once that html is executed on address bar it will become very hard for user to stop it because it will continuously popup the option box and it will popup multiple boxes rather than one to confirm selection which application he wants to use for sending email and will hang him up with such situation where he will be forced to close the web browser. because HTML is directly executing on address bar as a result its speed will be very fast in loading the content in this way attacker can easily exploit it to freeze the user over it.

Script Actions in a loop

1- redirect user to mailto:anymail@mail.com via window.location JS
2- refresh the content / page every 1 milisecond 
3- goto step 1

These 3 steps will keep asking user for the option to select. But this is to note down if user has already clicked on remember my selection or choice then this could be worst experience for user as if he confirmed his selection example for windows live program or via gmail or anyother application firefox will massively open that application again and again in milliseconds thousands of times or even more.


On Android :

I have also tested this on Android and on older versions of android it affects very badly because it gives multiple popups for selection to confirm for sending email.on Firefox browser is affected to it. The worst thing is it freeze itself to the selection in android latest versions where android gives single popup. but user is not able to go back or click cancel because whenever user will open his browser that html will be executed with the help of data uri scheme and will be too fast in milliseconds so that user will not be able to go back or do anything also even if he turns off wifi its offline script due to data uri which will still keep executing on users web browser on android and asking for selection. In case if user have selected or remembered his selection for sending mail Firefox on android and android default browser will force to open that application everytime when he will open browser. The only way to stop it would be to clear firefox data or reset. 

The script which i have used is below :

----
data:text/html;charset=utf-8,<script type="text/javascript"> setInterval(function() { window.location.reload(); }, 1); </script> <script>window.location="mailto:admin@securityfuse.com";</script>
----

I have used data uri to run this script in base64 encrypted form , simply created html file on remote server and redirected the user to that uri so in this case attacker can also use remote link and on just one click his browser can be freezed as mentioned in android POC. 

Remote Link : http://securityfuse.com/crash_test.html

If user opens it in android this will annoy him and if user first selects or confirm his selection for application and after opens it, browser will be crashed and will force user to the application which he remembered in past.

Waiting for your response , looking forward for reward program.  Please beware that firefox popups multiple form which it should not because in modern browsers popup single form on multiple requests while firefox popups multiple.