Closed Bug 1338837 Opened 7 years ago Closed 7 years ago

Location Bar Spoofing: location bar continues displaying blob URI if user tries to navigate to it manually

Categories

(Firefox :: Address Bar, defect)

Product:
Firefox
Component:
Address Bar
Version:
51 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1323452

People

(Reporter: jordi.chancel, Unassigned)

Details

Attachments

(1 file)

TESTCASE.html
612 bytes, text/html
Details
Attached file TESTCASE.html 
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20170125094131

Steps to reproduce:

When you are on a malicious webpage which contains a link like : 

blob://https://www.google.com/  , 

copy this link and make a right click into the location bar and click on the selection: "Past and Go" 

These steps lead to a Location Bar Spoofing Vulnerbility 

Steps with the testcase :
-1 : copy the URL into the link in the testcase webpage, make a right click into the location bar and click "Past and Go".
-2 : after all these steps , Location Bar is Spoofed.

(This Location Bar Spoofing using blob: URL seems work even if e10s is disabled or enabled).



Actual results:

With the blob:// protocol it's possible to spoof the location bar by a simple interraction like drag and drop a link into the location bar or copy the link URL and try to go on this URL by a right click into the location bar and a click on "Past and Go".



Expected results:

With the blob:// protocol it's possible to spoof the location.

code a patch of the "past and go" of an url with the protocol blob:// don't change the URL of the original webpage can be a possible idea to resolve this vulnerability.
This is clearly inspired by previous bugs where dragging works (comment #0 even mentions drags), and now that we fixed dragging, it suggests using paste and go instead. That's fine, but we already opened a public bug about this (bug 1323452).

Personally, I don't think the severity of this bug is high enough to justify keeping it open separately, so I think we should open up and dupe. Dan?

Marco: I wonder if for bug 1323452 we should special-case non-http/https URIs and/or special-case paste-and-go instead of also 'paste'. Then again, I suppose people will file an exact dupe of this but with manual "paste, then hit enter".

Furthermore, as opposed to URLs that actually load, I suppose for loads that return an error that doesn't show an error page (like these invalid blob URIs) we could also remove the URL after navigation (ie revert to the page's URL) - but then, that wouldn't fix the actual problem.
Component: Untriaged → Location Bar
Flags: needinfo?(dveditz)
(In reply to :Gijs from comment #1)
> Marco: I wonder if for bug 1323452 we should special-case non-http/https
> URIs and/or special-case paste-and-go instead of also 'paste'. Then again, I
> suppose people will file an exact dupe of this but with manual "paste, then
> hit enter".

Right, paste And go is just a 1-click shortcut to paste and Enter/GoButton, it boils down to how many steps do we consider too many for a security concern. I think it's up to security team to evaluate that, I'd personally try to fix paste in general, if possible.
(In reply to :Gijs from comment #1)
> Personally, I don't think the severity of this bug is high enough to justify
> keeping it open separately, so I think we should open up and dupe. Dan?

WFM.

> Marco: I wonder if for bug 1323452 we should special-case non-http/https
> URIs and/or special-case paste-and-go instead of also 'paste'. Then again, I
> suppose people will file an exact dupe of this but with manual "paste, then
> hit enter".

The problem is not paste&go, it's the lack of feedback that there was an error with the URL. Paste&Go, Paste+Enter, or even Type+Enter need to give user feedback. User typing isn't spoofy, of course, but it's still a confusing experience.

> Furthermore, as opposed to URLs that actually load, I suppose for loads that
> return an error that doesn't show an error page (like these invalid blob
> URIs) we could also remove the URL after navigation (ie revert to the page's
> URL) - but then, that wouldn't fix the actual problem.

Or catch the error and navigate to an error page anyway.
Or put up an infobar saying it's an invalid URL.
Or... ?
Flags: needinfo?(dveditz)
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: