Open Bug 1313916 Opened 8 years ago Updated 9 months ago

For a toplevel load where the authentication prompt is dismissed we don't unload the current page in some circumstances

Categories

(Core :: Networking: HTTP, defect, P3)

Product:
Core
Component:
Networking: HTTP
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: jm.acuna73, Unassigned)

References

Details

(Keywords: csectype-spoof, reporter-external, Whiteboard: [necko-backlog])

Attachments

(1 file)

Vídeo demostrativo
4.60 MB, video/webm
Details
Attached video Vídeo demostrativo
Introduzca esta url en la barra de navegación de Mozilla Firefox: data:text/html,<a href="http://feeds.feedburner.com/GoogleInbox" onclick="var x = open(this.href,'gtn-roster-iframe-id','toolbar=0,location=0,directories=0,status=0,menubar=0,scrollbars=1,resizable=1,width=750,height=330'); x.moveTo((top.screen.width-750)/2, (top.screen.height-330)/2 ); x.document.body.innerHTML += '<iframe src=http://www.elandroidelibre.com/wp-content/uploads/2014/10/inbox-gmail.jpg onload=alert(prompt(\'Email/Password\')) style=height:100%;width:100%;border:0;position:fixed;top:0;left:0;overflow:hidden></iframe>'; return false;">Authentication</a> Si el usuario no recuerda el usuario/contraseña de acceso al portal web al pulsar el botón cancerlar, se le pregunta por la dirección de email y su contraseña como alternativa (el texto de esta ventana se puede personalizar para parecer más creible). En principio, el ejemplo es válido para cualquier dominio de autenticación de windows. Otro ejemplo: https://chromium.googlesource.com/chromium?format=JSON * Adjunto vídeo demostrativo
Flags: sec-bounty?
Group: websites-security → firefox-core-security
Component: Other → Security
Product: Websites → Firefox
Not a website vulnerability, moved to firefox for triage.
Google translate of comment #0: --- Enter this URL in the navigation bar Mozilla Firefox: <snip> If the user does not remember the username / password access to the website by pressing the "cancel" button, asked for the email address and password as an alternative (the text of this window can be customized to look more credible). In principle, the example applies to any domain authentication windows. Another example https://chromium.googlesource.com/chromium?format=JSON --- Note: the dialog is not a "Windows authentication system" - it is an HTTP authentication dialog, and unrelated to the Windows OS. The authentication window already shows the domain for which credentials are requested. The "alternative" password prompt isn't any more convincing than if you showed it on a general spoof page. To steal the passwords through the http auth dialog you would have to control the target domain which would then be different from the page/iframe content you're loading, and the URL bar correctly displays about:blank as that's the controlling page at that time. As a result, I don't see that this is convincing or actionable enough to do much with, so I'm unhiding the bug. I would suggest closing INVALID, but I leave it up to Al/Dan to make further decisions here.
Group: firefox-core-security
Flags: needinfo?(dveditz)
Flags: needinfo?(abillings)
Keywords: csectype-spoof
Summary: Es posible interceptar las credenciales de un usuario a través del sistema de autenticación de windows → It is possible to intercept the credentials of a user through the windows authentication system
Whiteboard: [reporter-external] [web-bounty-form] [verif?]
I agree Gijs Kruitbosch, but there is something very disturbing for me: - Firefox locks the window with a modal dialog between the authentication request and the server response. No other browser lets do it.
(In reply to Jose María Acuña from comment #3) > I agree Gijs Kruitbosch, > but there is something very disturbing for me: > > - Firefox locks the window with a modal dialog between the authentication > request and the server response. No other browser lets do it. That is bug 613785.
Allow me to insist, but if I put title to the window (the domain name) and add an image of your domain, spoof is almost guaranteed. I would like to know what percentage of active members of the web are aware that "about: blank" is not a valid protocol domains :) Image1: https://drive.google.com/file/d/0B5G3cbs08P16cmlSMWoyZHRKeUk/view Image2: https://drive.google.com/file/d/0B5G3cbs08P16QzQxUlpScTNsWjg/view Video: https://drive.google.com/file/d/0B5G3cbs08P16V0RBaTdHVXNiNUU/view Regards!
(In reply to Jose María Acuña from comment #5) > Allow me to insist, > but if I put title to the window (the domain name) and add an image of your > domain, spoof is almost guaranteed. > I would like to know what percentage of active members of the web are aware > that "about: blank" is not a valid protocol domains :) Then you could avoid all of the http auth window stuff and just window.open("about:blank", "_blank", "height=200"), and manipulate the window that that returns to have login inputs that you read. People not understanding "about:blank" and showing something else is bug 1297008. Note that all other browsers do the same thing (ie show "about:blank").
Yes but I do not speak of a general behavior. In this particular case: - other browsers, popup alert intercept and cancel (not displayed). Firefox leave this door open.
(In reply to Jose María Acuña from comment #7) > In this particular case: > - other browsers, popup alert intercept and cancel (not displayed). Firefox > leave this door open. I do not understand what this sentence means. Could you rephrase?
I am sorry. Internet Explorer, Google Chrome, Opera, do not show the modal dialog 'window.prompt' so there is no possibility of spoof. It only happens in Firefox.
OK, I think I understand. Boris, any idea why in e.g. Chrome the opener is not allowed to modify the about:blank document of the opened window, trigger onload, and queue a prompt, whereas all of that succeeds in Firefox?
Component: Security → Untriaged
Flags: needinfo?(bzbarsky)
Product: Firefox → Core
Summary: It is possible to intercept the credentials of a user through the windows authentication system → For a toplevel load where the authentication prompt is dismissed we don't unload the current page in some circumstances
> why in e.g. Chrome the opener is not allowed to modify the about:blank document of the opened window > trigger onload, and queue a prompt Er... why do you think it's not? In Chrome, this is the sequence of events I see, on Mac: 1) window.open causes a new window to be opened. 2) The prompt triggered by the prompt() call from the subframe load event handler is shown. 3) The prompt from prompt() is hidden and the authentication dialog for http://feeds.feedburner.com/GoogleInbox is shown. If I replace "http://feeds.feedburner.com/GoogleInbox" with "http://software.hixie.ch/utilities/cgi/test-tools/delayed-file?pause=2&mime=text%2Fplain&text=Hey+there" in the anchor href, then you can very clearly see the prompt() call showing a dialog in Chrome. Of course if the subframe load races with the main page load and the main page wins the ref there won't be any prompt, because the whole thing, including the subframe, will be unloaded before the subframe load event fires.
Flags: needinfo?(bzbarsky)
(In reply to Boris Zbarsky [:bz] (still a bit busy) from comment #11) > > why in e.g. Chrome the opener is not allowed to modify the about:blank document of the opened window > > trigger onload, and queue a prompt > > Er... why do you think it's not? In Chrome, this is the sequence of events > I see, on Mac: > > 1) window.open causes a new window to be opened. > 2) The prompt triggered by the prompt() call from the subframe load event > handler is shown. > 3) The prompt from prompt() is hidden and the authentication dialog > for http://feeds.feedburner.com/GoogleInbox is shown. OK. The prompt() disappeared so quickly when I ran this initially that I didn't think it got shown at all. Trying it a few more times, I see a flash that is presumably this prompt. > If I replace "http://feeds.feedburner.com/GoogleInbox" with > "http://software.hixie.ch/utilities/cgi/test-tools/delayed- > file?pause=2&mime=text%2Fplain&text=Hey+there" in the anchor href, then you > can very clearly see the prompt() call showing a dialog in Chrome. Of > course if the subframe load races with the main page load and the main page > wins the ref there won't be any prompt, because the whole thing, including > the subframe, will be unloaded before the subframe load event fires. It seems in Gecko, we manage to show the (tab-modal) prompt while the modal auth dialog is up, the http auth prompt does not dismiss the JS prompt() or force the unload of the original page. Only after the JS on the about:blank page has run to completion do we show the 401 error page from feedburner. Unsure if this is just a side-effect of having the http auth prompt be app-modal and the prompt() tab-modal, and if there's anything we can/should do here to avoid showing the prompt() (ie force the unload of the page and abort the JS onload script/prompt that's running).
See Also: → 1315677
Flags: needinfo?(abillings)
Flags: needinfo?(jm.acuna73)
Flags: sec-bounty? → sec-bounty+
This does not qualify for a bug bounty
Flags: sec-bounty-
Flags: sec-bounty+
Flags: needinfo?(dveditz)
(In reply to :Gijs Kruitbosch from comment #12) > > If I replace "http://feeds.feedburner.com/GoogleInbox" with > > "http://software.hixie.ch/utilities/cgi/test-tools/delayed- > > file?pause=2&mime=text%2Fplain&text=Hey+there" in the anchor href, then you > > can very clearly see the prompt() call showing a dialog in Chrome. Of > > course if the subframe load races with the main page load and the main page > > wins the ref there won't be any prompt, because the whole thing, including > > the subframe, will be unloaded before the subframe load event fires. > > It seems in Gecko, we manage to show the (tab-modal) prompt while the modal > auth dialog is up, the http auth prompt does not dismiss the JS prompt() or > force the unload of the original page. Only after the JS on the about:blank > page has run to completion do we show the 401 error page from feedburner. > > Unsure if this is just a side-effect of having the http auth prompt be > app-modal and the prompt() tab-modal, and if there's anything we can/should > do here to avoid showing the prompt() (ie force the unload of the page and > abort the JS onload script/prompt that's running). Boris, do you know if this is something we can/should fix (or if I'm still misunderstanding) and if so, what would be a suitable component?
Flags: needinfo?(bzbarsky)
It really depends on the behavior we want here. Apart from moving the auth prompt to be tab-modal, we could take down all tab-modals parented to the relevant window before bringing up the auth prompt, and ensure that new ones can't be put up, right?
Flags: needinfo?(bzbarsky)
(In reply to Boris Zbarsky [:bz] (still a bit busy) from comment #18) > It really depends on the behavior we want here. Apart from moving the auth > prompt to be tab-modal, we could take down all tab-modals parented to the > relevant window before bringing up the auth prompt, and ensure that new ones > can't be put up, right? Yes, though I'm not sure where to do that off-hand, I guess that would mean this would need to be fixed in networking...
Component: Untriaged → Networking: HTTP
Component: Networking: HTTP → Security: PSM
Whiteboard: [necko-backlog]
Is PSM the right component here? My understanding was the HTTP auth code was spread around necko, docshell, and maybe browser/toolkit?
Flags: needinfo?(hurley)
(In reply to David Keeler [:keeler] (use needinfo?) from comment #20) > Is PSM the right component here? My understanding was the HTTP auth code was > spread around necko, docshell, and maybe browser/toolkit? Argh, sorry. I had tentatively made that change, but then re-thought myself and realized this probably does belong in necko (or one of those others) - hence the necko-backlog in the whiteboard. Obviously I didn't fully roll back my transaction, though, before committing the new one :)
Component: Security: PSM → Networking: HTTP
Flags: needinfo?(hurley)
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: