Closed Bug 1325812 Opened 9 years ago Closed 6 years ago

Custom URI schemes in the location bar can lead to Location Bar Spoofing

Categories

(Firefox for Android Graveyard :: General, defect, P3)

Product:
Firefox for Android Graveyard
Component:
General
Version:
50 Branch
Type:
defect

Tracking

(fennec+)

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
fennec + ---

People

(Reporter: jordi.chancel, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, sec-low, Whiteboard: [geckoview-])

Attachments

(3 files)

Video Example.html
375 bytes, text/html
Details
Screenshot.png
49.30 KB, image/png
Details
device-2017-01-17-175923.png
67.66 KB, image/png
Details
Attached file Video Example.html
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:50.0) Gecko/20100101 Firefox/50.0 Build ID: 20161208153507 Steps to reproduce: On crafted webpage, copy a custom URL scheme (eg: secure://www.google.com/ ), paste this custom URL scheme into the Address Bar, and after, press the "Go to" button on the keyboard (like shown on the demonstration video uploaded in this Bug report). -1 : Copy a custom URL scheme like secure://www.google.com and paste it into the Addressbar -2 : Press the "Go to" button on the keyboard to try to go on this address Actual results: The Location Bar shows the custom URL scheme address (eg: secure://www.google.com ) leading to a Location Bar Spoofing vulnerability. Expected results: The location bar shouldn't show the custom URL scheme address but should show the real web address of the web page visited.
Attached image Screenshot.png
Flags: sec-bounty?
Okay, I see that if you copy a URL with a random protocol into the URL bar then we do not show an error or something but instead you are still on the page you were on before and the URL bar shows the URL you just copied. I acknowledge that this is not nice (URL bar and content do not match), but I have a hard time understanding how this could be used for an attack. Desktop Firefox just launches a search - this might be the best we can do here. It looks like that's what Chrome does too.
Status: UNCONFIRMED → NEW
tracking-fennec: --- → ?
Has STR: --- → yes
Ever confirmed: true
Assignee: nobody → cnevinchen
tracking-fennec: ? → +
Priority: -- → P1
I first thought that if it's not http or https, we'll treat it as search query... but this is wrong. Because we still need to pass to gecko via browser.js's loadURI method to let Gecko have a chance to handle the URL (e.g. send out an intent for market://detials?id=org.mozilla.fennec_nechen to open Play Store ). Besides, platform already had a solution for handling this [1] The problem is that it won't show the correct neterror page for the first time. But neterror page will be shown for the second time. Bellow is the code I got from the log[2] 01-17 18:04:54.716/GeckoIntentHelper: Unable to open URI, maybe showing neterrormarkket://details?id=com.whatsapp 01-17 18:05:19.331/GeckoIntentHelper: Unable to open URI, maybe showing neterrormarkket://details?id=com.whatsapp [1](http://searchfox.org/mozilla-central/source/mobile/android/base/java/org/mozilla/gecko/IntentHelper.java#399) [2](http://searchfox.org/mozilla-central/source/mobile/android/base/java/org/mozilla/gecko/IntentHelper.java#399) Hi Sebastian Could you please help pointing me whom I can seek for help? I think I'm bothering him too much....:)
Flags: needinfo?(s.kaspari)
(In reply to Nevin Chen [:nechen] from comment #3) > [1](http://searchfox.org/mozilla-central/source/mobile/android/base/java/org/ > mozilla/gecko/IntentHelper.java#399) > [2](http://searchfox.org/mozilla-central/source/mobile/android/base/java/org/ > mozilla/gecko/IntentHelper.java#399) Those are the same links - is this correct? > Could you please help pointing me whom I can seek for help? I think I'm > bothering him too much....:) Yeah, but what exactly do you need help with or what is your question? :)
Flags: needinfo?(s.kaspari)
(In reply to Sebastian Kaspari (:sebastian) from comment #4) > (In reply to Nevin Chen [:nechen] from comment #3) > > [1](http://searchfox.org/mozilla-central/source/mobile/android/base/java/org/ > > mozilla/gecko/IntentHelper.java#399) > > [2](http://searchfox.org/mozilla-central/source/mobile/android/base/java/org/ > > mozilla/gecko/IntentHelper.java#399) > > Those are the same links - is this correct? Oh.. sorry... the first link[1] should be http://searchfox.org/mozilla-central/source/mobile/android/base/java/org/mozilla/gecko/IntentHelper.java#533 > > > Could you please help pointing me whom I can seek for help? I think I'm > > bothering him too much....:) > > Yeah, but what exactly do you need help with or what is your question? :) My question is "Why GeckoView won't show anything for the first time, but only show the correct neterror page for the second time. But after looking at the blame of #533... I found this bug seems to be duplicated with bug 1278581?
Flags: needinfo?(s.kaspari)
Yeah, they seem to be the same. In the other bug snorp (bug 1278581 comment 43) wasn't able to reproduce the issue. Do you have some steps that always lead to us not showing the error page? With that you could NI snorp here again.
Flags: needinfo?(s.kaspari)
Hi snorp. I can 100% reproduce this issue. STR 1. Close the app and restart again. 2. Go to www.google.com 3. After the content in 2 is displayed, in url enter aaa://www.google.com 4. There's no "about:neterror....." page. But... 5. But if you enter aaa://www.google.com again, "about:neterror....." will be displayed. From now on, till you restart the app again, you'll always get the correct "about:neterror....." page if the scheme can't be handled. Could you please help me verify if this bug is duplicated with bug 1278581? Does it look like a platform bug? Thanks!
Flags: needinfo?(snorp)
Assignee: cnevinchen → nobody
(In reply to Nevin Chen [:nechen] from comment #7) > Hi snorp. I can 100% reproduce this issue. > > STR > 1. Close the app and restart again. > 2. Go to www.google.com > 3. After the content in 2 is displayed, in url enter aaa://www.google.com > 4. There's no "about:neterror....." page. > But... > 5. But if you enter aaa://www.google.com again, "about:neterror....." will > be displayed. From now on, till you restart the app again, you'll always get > the correct "about:neterror....." page if the scheme can't be handled. > > Could you please help me verify if this bug is duplicated with bug 1278581? > Does it look like a platform bug? > > Thanks! Nevin, what version of Firefox are you using for your test described in comment 7?
I'm using the Release version. Thanks!
Flags: needinfo?(jordi.chancel)
I could kind of see how you could do something bad with this, but it sounds pretty minor.
Keywords: sec-low
P2 then per comment 10
Priority: P1 → P2
I can't repro with the steps in comment #7 on Nightly. I don't ever get about:neterror, which does sound like bug 1278581 has regressed.
Flags: needinfo?(snorp)
Does not rise to the severity level of the bug bounty program, especially given the user interaction required.
Flags: sec-bounty? → sec-bounty-
(In reply to Nevin Chen [:nechen] from comment #7) > Hi snorp. I can 100% reproduce this issue. > > STR > 1. Close the app and restart again. > 2. Go to www.google.com > 3. After the content in 2 is displayed, in url enter aaa://www.google.com > 4. There's no "about:neterror....." page. > But... > 5. But if you enter aaa://www.google.com again, "about:neterror....." will > be displayed. From now on, till you restart the app again, you'll always get > the correct "about:neterror....." page if the scheme can't be handled. > > Could you please help me verify if this bug is duplicated with bug 1278581? > Does it look like a platform bug? ----------------- Now with Firefox 54.0.1 for Android, This Location Bar Spoofing vulnerability needs the same user interactions used in Bug 1162372 (CVE-2015-4476) -1) Copy the custom URL scheme (eg: secure://www.google.com/ ; httpZ://www.google.com ) -2) Paste this custom URL scheme into the Addressbar, -3) And press the "Go to" button on the keyboard. Results: The Location Bar is directly spoofed by the custom URL scheme (like shown on my attachment "screenshot.png" -> https://bugzilla.mozilla.org/attachment.cgi?id=8821868 uploaded in this Bug report).
Flags: needinfo?(jordi.chancel)
[triage] sec-low: moving to P3 rank 0.
Priority: P2 → P3
Group: firefox-core-security → mobile-core-security

Fennec only. Not relevant for Fenix.

Whiteboard: [geckoview-]

Wontfix for fennec.

As Chris states going to an existing page then pasting an invalid URL scheme in Fenix results in an unknown protocol error page which is what is expected.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Product: Firefox for Android → Firefox for Android Graveyard
Group: mobile-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: