Closed Bug 1432624 (CVE-2018-5138) Opened 7 years ago Closed 7 years ago

Firefox Custom Tabs have a phishing risk


(Firefox for Android Graveyard :: Custom Tabs, defect, P1)

57 Branch


(fennec+, firefox58 wontfix, firefox59 verified, firefox60 verified)

Firefox 60
Tracking Status
fennec + ---
firefox58 --- wontfix
firefox59 --- verified
firefox60 --- verified


(Reporter: 5i13ghzt462u, Assigned: droeh)


(Keywords: csectype-spoof, reporter-external, sec-low, Whiteboard: [adv-main59+])


(2 files)

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20180104170325

Steps to reproduce:

Open a site with very long domain (and, maybe, multiple subdomains) in Firefox Custom Tabs.

E.g. consider this URL:

As for testing (as a proof of concept) you can use this URL:

Open it in a custom tab. (navigate to it in some way as you want)

Actual results:

In the attached video you see that the main domain ("") is not shown in Firefox Custom Tabs, but mostly the long subdomain, but in Firefox on Android itself it is correctly shown (and even highlighted, as you can see in the video).

That means if it were a paypal phishing site, It would display the URL as such:…?auth=whatever

I.e. it tries to show the beginning and end of the URL. But that is wrong from a security perspective, because as you can see, the user thinks they are on now, while they are on!

And as any Android app can open URLs in Custom Tabs (e.g. mail apps), any URL can be untrustworthy (from untrusted sources as any mail, social media or whereever the app fetches the addresses from), so you cannot assume the URL is legit. Of course, you can _nevber_ assume that user/third-party app input is trustworthy.

Expected results:

As in Firefox, do show (and potentially even highlight) the main domain and *not* the subdomain. Do not abbreviate the main domain.
tracking-fennec: --- → ?
Ever confirmed: true
Flags: sec-bounty?
We've changed the behavior since, adding ellipsis which isn't great but better than the current one. We also have a bug to make it scrollable instead.
Sorry, your video _is_ with the ellipsis (bug 1393504). That was better than nothing but we knew it was insufficient: see bug 1393404 comment 4. We don't seem to have a follow-up bug to do that, however, so this can be it.

Snorp: I'm not sure what the limits are on Custom Tab headers. Do we have the control to make it scrollable? If not maybe we can add the "real URL" to the menu for people who want to look it up. We might just show the domain (as Safari does), though 1) a really really long domain (e.g. the badssl example here) still gets truncated, and 2) there still needs to be some way for users to see/copy the full url. "Open in Firefox" works, I guess, but that's a long way to go

Since this was a known problem discussed in a public bug I don't think we need to keep this one hidden.
Group: firefox-core-security
Flags: needinfo?(snorp)
It should be possible to make it scrollable, but a frontend person (once we have those again) would know better.

One thing we could also try to do is add the full url to the little popup that is shown when you click the lock icon (or whatever it is when on an insecure site).
Flags: needinfo?(snorp)
Assignee: nobody → droeh
tracking-fennec: ? → +
Priority: -- → P1
This displays the domain name rather than full URL and left-truncates/ellipsizes it in the custom tabs action bar, which should do a better job making phishing attempts obvious. We can file a follow-up to do something nicer when we have frontend people working on this if desired.
Attachment #8949020 - Flags: review?(snorp)
Attachment #8949020 - Flags: review?(snorp) → review+
Pushed by
Left-truncate and ellipsize domain in custom tabs to reduce phishing risk. r=snorp
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 60
This is ineligible for bug bounty as a low rated security issue.
Flags: sec-bounty? → sec-bounty-
Verified as fixed on latest Nightly - CustomTabs build following the steps from description.
Device: Nexus 6 (Android 6.0.1).
Please nominate this for Beta approval when you get a chance. It grafts cleanly as-landed.
Flags: needinfo?(droeh)
Comment on attachment 8949020 [details] [diff] [review]
Left-truncate and ellipsize domain name in custom tabs action bar

Approval Request Comment
[Feature/Bug causing the regression]: Custom tabs
[User impact if declined]: Potential phishing risk, as we may display a url with misleading truncation
[Is this code covered by automated tests?]: No
[Has the fix been verified in Nightly?]: Yes
[Needs manual test from QE? If yes, steps to reproduce]: Load a custom tab on any site with a domain name long enough to be truncated and confirm that it is truncated on the left
[List of other uplifts needed for the feature/fix]:
[Is the change risky?]: No
[Why is the change risky/not risky?]: Just a simple change to how we format/display the url
[String changes made/needed]: None
Flags: needinfo?(droeh)
Attachment #8949020 - Flags: approval-mozilla-beta?
Comment on attachment 8949020 [details] [diff] [review]
Left-truncate and ellipsize domain name in custom tabs action bar

Fixes a sec issue and verified on Nightly. Let's take this for 59b13.
Attachment #8949020 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Verified as fixed on Beta 59.0b13.
LG G4 (Android 5.1)
HTC 10 (Android 8.0)
Whiteboard: [adv-main59+]
Alias: CVE-2018-5138
If Focus for Android is set as the default browser, does it have this same problem with Custom Tabs?
Flags: needinfo?(kbrosnan)
Flags: needinfo?(kbrosnan)
Flags: sec-bounty-hof+
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.