Closed Bug 1418644 Opened 7 years ago Closed 4 years ago

Username/password prompt can be used to hijack the browser

Categories

(Core :: Networking: HTTP, defect, P3)

Product:
Core
Component:
Networking: HTTP
Version:
57 Branch
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: koenigseggcc, Unassigned)

References

Details

(Whiteboard: [necko-triaged])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID: 20171112125346 Steps to reproduce: I was sent a valid Yahoo (bad already, I know) link which eventually redirected to some malicious "Your computer is infected" page. The original link is normally valid, and is attached for reference, as is the bad one. I clicked the original link, went through a couple of the pages listed, and got redirected. This only happened once. Yahoo seems to allow something to hijack connections occasionally. Original link which was redirected from: https://ca.yahoo.com/news/every-car-weve-tested-hit-211403319.html Bad link I was redirected to: http://seolosangelesservices.com/in/000ads8957402/?ads=6bcvru5m9y&sspid=%5BEXCHANGE%5D&cb=359427&referer=https%3A%2F%2Fca.news.yahoo.com%2Fevery-car-weve-tested-hit-211403319.html&p=000ads8957402&click=https%253A%252F%252Fclick-west.acuityplatform.com%252FAdserver%252Flanding%253Fbc%253D727071%2526position%253D3%2526bannerid%253D719924%2526campaignid%253D235588%2526mastercampaignid%253D85412%2526sizeid%253D3%2526exid%253D17%2526adid%253D0%2526xuid%253DYLyT9MqW.DLw3mVeSBQiuc1Y%2526agentcode%253D0%2526geocode%253D21%2526geostrcode%253D%2526siteid%253D20000228%2526inventoryid%253D49518081%2526pubid%253D0%2526reqid%253Db9da65d7-2f36-664a-bd63-3d545e327ff2%253A1511022143056%253A1%2526ip%253Dae583300%2526ts%253D15fcff026a8%2526test%253D0%2526rc%253D1%2526cnt%253DCA%2526rg%253DON%2526cty%253DAJAX%2526ert%253D0%2526erid%253D%2526ag%253D7%2526gnd%253D2%2526ca%253D0%2526bauid%253Dnull%2526cepid%253Dnull%2526cvt%253D0%2526uq%253D0%2526sg%253D0%2526sgs%253D%2526sgmt%253D%2526tt%253Db9da65d7-2f36-664a-bd63-3d545e327ff2%253A1511022143056%253A1%2526uaos%253D5%2526uab%253D7%2526dealid%253D0%2526pw%253D-1%2526ph%253D-1%2526ist%253D15fcff026a8%2526pl%253D0%2526vrt%253D0%2526vrl%253D%2526topics%253D20977%252C20210%252C20939%2526chnls%253D%2526lat%253D43.840393%2526long%253D-79.0251%2526sw%253D0%2526sh%253D0%2526dt%253D1%2526int%253D0%2526devid%253D1%2526landingUrl%253D&sitedomain=http%253A%252F%252Fyahoo.com&rand=null&pubid=0&siteid=20000228&location=https%3A%2F%2Fs.yimg.com%2Frq%2Fdarla%2F3-0-8%2Fhtml%2Fr-sf.html&dt1=0&dt2=0&dt4=2&dt5=2&dt6=0&dt7=0&dt8=10&dt9=NA&dt10=no%3A28%7Camazon.com%7Ccarbonmade%7Cbitbucket%7Cblogger%7Cfoursquare%7Chackernews%7Cdisqus%7Cgithub%7Cmeetup%7Cindeed%7Cpaypal%7Cstack%7Cmedium%7Ctumblr%7Cedx%7Cbattle.net%7Csquare%7Cflickr%7Ckhan_academy%7Cskype%7Cexpedia%7Cpinterest%7Cairbnb%7Cacademia.edu%7Cgoogle_plus%7Cvk%7Creddit%7C500px%3Bok%3A6%7Cyoutube%7Cgmail%7Cdropbox%7Cfacebook%7Cspotify%7Ctwitter%3Berr%3A1%7Csteam&dt11=1 Actual results: Once the bad redirect happened, a basic html page loaded saying "Your computer is infected," with an audio version of the page playing, and brought up the username/password prompt. Upon choosing to cancel the authentication request, the page reloads, bringing up the authentication prompt again. You cannot interact with Firefox because the authentication prompt hijacks focus. Expected results: Firefox should allow you to ignore the prompt so that you can close the tab, or hit the back button
Group: firefox-core-security
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
Status: UNCONFIRMED → NEW
Ever confirmed: true
Status: NEW → UNCONFIRMED
Ever confirmed: false
There is a number of ways to use this for focus hijack. We've already fixed one in the past (bug 1312243). The only true solution is to make the auth dialog tab-modal and not browser-modal as it is now.
Priority: -- → P3
See Also: → CVE-2017-5419
Whiteboard: [necko-triaged]
Bug 613785 is filed for that. I don't think it's as simple as getting the prompt to show in-content like some other prompt service consumers since that would make the dialog easily spoofable by content.
See Also: → 613785
We could mitigate this particular vector by storing the abuse flags on the docshell instead of the document.
The 'Would you like Firefox to save this login' thing is per-tab, and would be hard to spoof. Would it not be sufficient to move all authentication prompts to this style?

I believe this has now been addressed.

Thanks for confirming!

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.