Bug 1432624 (CVE-2018-5138)

Firefox Custom Tabs have a phishing risk

VERIFIED FIXED in Firefox 59

Status

()

defect
P1
normal
VERIFIED FIXED
Last year
Last year

People

(Reporter: c4609174, Assigned: droeh)

Tracking

({csectype-spoof, sec-low})

57 Branch
Firefox 60
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(fennec+, firefox58 wontfix, firefox59 verified, firefox60 verified)

Details

(Whiteboard: [adv-main59+])

Attachments

(2 attachments)

Reporter

Description

Last year
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20180104170325

Steps to reproduce:

Open a site with very long domain (and, maybe, multiple subdomains) in Firefox Custom Tabs.

E.g. consider this URL:
https://paypal.com.securelogin.fakephissite.com/something?auth=whatever

As for testing (as a proof of concept) you can use this URL: https://long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com/?q=mnfdkjhfjksdhfjhjhfjdshjkfhsksdkjhg-greatwebsite

Open it in a custom tab. (navigate to it in some way as you want)



Actual results:

In the attached video you see that the main domain ("badssl.com") is not shown in Firefox Custom Tabs, but mostly the long subdomain, but in Firefox on Android itself it is correctly shown (and even highlighted, as you can see in the video).

That means if it were a paypal phishing site, It would display the URL as such:
https://paypal.com…?auth=whatever

I.e. it tries to show the beginning and end of the URL. But that is wrong from a security perspective, because as you can see, the user thinks they are on paypal.com now, while they are on fakephissite.com!

And as any Android app can open URLs in Custom Tabs (e.g. mail apps), any URL can be untrustworthy (from untrusted sources as any mail, social media or whereever the app fetches the addresses from), so you cannot assume the URL is legit. Of course, you can _nevber_ assume that user/third-party app input is trustworthy.


Expected results:

As in Firefox, do show (and potentially even highlight) the main domain and *not* the subdomain. Do not abbreviate the main domain.
Status: UNCONFIRMED → NEW
tracking-fennec: --- → ?
Ever confirmed: true
Flags: sec-bounty?
We've changed the behavior since, adding ellipsis which isn't great but better than the current one. We also have a bug to make it scrollable instead.
Sorry, your video _is_ with the ellipsis (bug 1393504). That was better than nothing but we knew it was insufficient: see bug 1393404 comment 4. We don't seem to have a follow-up bug to do that, however, so this can be it.

Snorp: I'm not sure what the limits are on Custom Tab headers. Do we have the control to make it scrollable? If not maybe we can add the "real URL" to the menu for people who want to look it up. We might just show the domain (as Safari does), though 1) a really really long domain (e.g. the badssl example here) still gets truncated, and 2) there still needs to be some way for users to see/copy the full url. "Open in Firefox" works, I guess, but that's a long way to go

Since this was a known problem discussed in a public bug I don't think we need to keep this one hidden.
Group: firefox-core-security
Flags: needinfo?(snorp)
It should be possible to make it scrollable, but a frontend person (once we have those again) would know better.

One thing we could also try to do is add the full url to the little popup that is shown when you click the lock icon (or whatever it is when on an insecure site).
Flags: needinfo?(snorp)
Assignee: nobody → droeh
tracking-fennec: ? → +
Priority: -- → P1
This displays the domain name rather than full URL and left-truncates/ellipsizes it in the custom tabs action bar, which should do a better job making phishing attempts obvious. We can file a follow-up to do something nicer when we have frontend people working on this if desired.
Attachment #8949020 - Flags: review?(snorp)

Comment 5

Last year
Pushed by droeh@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3add3eea31b5
Left-truncate and ellipsize domain in custom tabs to reduce phishing risk. r=snorp
https://hg.mozilla.org/mozilla-central/rev/3add3eea31b5
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → Firefox 60
This is ineligible for bug bounty as a low rated security issue.
Flags: sec-bounty? → sec-bounty-
Verified as fixed on latest Nightly - CustomTabs build following the steps from description.
Device: Nexus 6 (Android 6.0.1).
Status: RESOLVED → VERIFIED
Please nominate this for Beta approval when you get a chance. It grafts cleanly as-landed.
Flags: needinfo?(droeh)
Comment on attachment 8949020 [details] [diff] [review]
Left-truncate and ellipsize domain name in custom tabs action bar

Approval Request Comment
[Feature/Bug causing the regression]: Custom tabs
[User impact if declined]: Potential phishing risk, as we may display a url with misleading truncation
[Is this code covered by automated tests?]: No
[Has the fix been verified in Nightly?]: Yes
[Needs manual test from QE? If yes, steps to reproduce]: Load a custom tab on any site with a domain name long enough to be truncated and confirm that it is truncated on the left
[List of other uplifts needed for the feature/fix]:
[Is the change risky?]: No
[Why is the change risky/not risky?]: Just a simple change to how we format/display the url
[String changes made/needed]: None
Flags: needinfo?(droeh)
Attachment #8949020 - Flags: approval-mozilla-beta?
Comment on attachment 8949020 [details] [diff] [review]
Left-truncate and ellipsize domain name in custom tabs action bar

Fixes a sec issue and verified on Nightly. Let's take this for 59b13.
Attachment #8949020 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment 13

Last year
Verified as fixed on Beta 59.0b13.
LG G4 (Android 5.1)
HTC 10 (Android 8.0)
Whiteboard: [adv-main59+]
Alias: CVE-2018-5138
If Focus for Android is set as the default browser, does it have this same problem with Custom Tabs?
Flags: needinfo?(kbrosnan)
Flags: needinfo?(kbrosnan)
You need to log in before you can comment on or make changes to this bug.