Closed
Bug 1432624
(CVE-2018-5138)
Opened 7 years ago
Closed 7 years ago
Firefox Custom Tabs have a phishing risk
Categories
(Firefox for Android Graveyard :: Custom Tabs, defect, P1)
Tracking
(fennec+, firefox58 wontfix, firefox59 verified, firefox60 verified)
VERIFIED
FIXED
Firefox 60
People
(Reporter: 5i13ghzt462u, Assigned: droeh)
Details
(Keywords: csectype-spoof, reporter-external, sec-low, Whiteboard: [adv-main59+])
Attachments
(2 files)
4.06 MB,
video/mp4
|
Details | |
1.95 KB,
patch
|
snorp
:
review+
RyanVM
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20180104170325
Steps to reproduce:
Open a site with very long domain (and, maybe, multiple subdomains) in Firefox Custom Tabs.
E.g. consider this URL:
https://paypal.com.securelogin.fakephissite.com/something?auth=whatever
As for testing (as a proof of concept) you can use this URL: https://long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com/?q=mnfdkjhfjksdhfjhjhfjdshjkfhsksdkjhg-greatwebsite
Open it in a custom tab. (navigate to it in some way as you want)
Actual results:
In the attached video you see that the main domain ("badssl.com") is not shown in Firefox Custom Tabs, but mostly the long subdomain, but in Firefox on Android itself it is correctly shown (and even highlighted, as you can see in the video).
That means if it were a paypal phishing site, It would display the URL as such:
https://paypal.com…?auth=whatever
I.e. it tries to show the beginning and end of the URL. But that is wrong from a security perspective, because as you can see, the user thinks they are on paypal.com now, while they are on fakephissite.com!
And as any Android app can open URLs in Custom Tabs (e.g. mail apps), any URL can be untrustworthy (from untrusted sources as any mail, social media or whereever the app fetches the addresses from), so you cannot assume the URL is legit. Of course, you can _nevber_ assume that user/third-party app input is trustworthy.
Expected results:
As in Firefox, do show (and potentially even highlight) the main domain and *not* the subdomain. Do not abbreviate the main domain.
Updated•7 years ago
|
Status: UNCONFIRMED → NEW
tracking-fennec: --- → ?
Ever confirmed: true
Updated•7 years ago
|
Flags: sec-bounty?
Comment 1•7 years ago
|
||
We've changed the behavior since, adding ellipsis which isn't great but better than the current one. We also have a bug to make it scrollable instead.
Comment 2•7 years ago
|
||
Sorry, your video _is_ with the ellipsis (bug 1393504). That was better than nothing but we knew it was insufficient: see bug 1393404 comment 4. We don't seem to have a follow-up bug to do that, however, so this can be it.
Snorp: I'm not sure what the limits are on Custom Tab headers. Do we have the control to make it scrollable? If not maybe we can add the "real URL" to the menu for people who want to look it up. We might just show the domain (as Safari does), though 1) a really really long domain (e.g. the badssl example here) still gets truncated, and 2) there still needs to be some way for users to see/copy the full url. "Open in Firefox" works, I guess, but that's a long way to go
Since this was a known problem discussed in a public bug I don't think we need to keep this one hidden.
It should be possible to make it scrollable, but a frontend person (once we have those again) would know better.
One thing we could also try to do is add the full url to the little popup that is shown when you click the lock icon (or whatever it is when on an insecure site).
Flags: needinfo?(snorp)
Assignee: nobody → droeh
tracking-fennec: ? → +
Priority: -- → P1
Assignee | ||
Comment 4•7 years ago
|
||
This displays the domain name rather than full URL and left-truncates/ellipsizes it in the custom tabs action bar, which should do a better job making phishing attempts obvious. We can file a follow-up to do something nicer when we have frontend people working on this if desired.
Attachment #8949020 -
Flags: review?(snorp)
Attachment #8949020 -
Flags: review?(snorp) → review+
Pushed by droeh@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3add3eea31b5
Left-truncate and ellipsize domain in custom tabs to reduce phishing risk. r=snorp
Comment 6•7 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox60:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 60
Comment 7•7 years ago
|
||
This is ineligible for bug bounty as a low rated security issue.
Flags: sec-bounty? → sec-bounty-
Comment 8•7 years ago
|
||
Verified as fixed on latest Nightly - CustomTabs build following the steps from description.
Device: Nexus 6 (Android 6.0.1).
Status: RESOLVED → VERIFIED
Comment 9•7 years ago
|
||
Please nominate this for Beta approval when you get a chance. It grafts cleanly as-landed.
Assignee | ||
Comment 10•7 years ago
|
||
Comment on attachment 8949020 [details] [diff] [review]
Left-truncate and ellipsize domain name in custom tabs action bar
Approval Request Comment
[Feature/Bug causing the regression]: Custom tabs
[User impact if declined]: Potential phishing risk, as we may display a url with misleading truncation
[Is this code covered by automated tests?]: No
[Has the fix been verified in Nightly?]: Yes
[Needs manual test from QE? If yes, steps to reproduce]: Load a custom tab on any site with a domain name long enough to be truncated and confirm that it is truncated on the left
[List of other uplifts needed for the feature/fix]:
[Is the change risky?]: No
[Why is the change risky/not risky?]: Just a simple change to how we format/display the url
[String changes made/needed]: None
Flags: needinfo?(droeh)
Attachment #8949020 -
Flags: approval-mozilla-beta?
Comment 11•7 years ago
|
||
Comment on attachment 8949020 [details] [diff] [review]
Left-truncate and ellipsize domain name in custom tabs action bar
Fixes a sec issue and verified on Nightly. Let's take this for 59b13.
Attachment #8949020 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 12•7 years ago
|
||
bugherder uplift |
Comment 13•7 years ago
|
||
Verified as fixed on Beta 59.0b13.
LG G4 (Android 5.1)
HTC 10 (Android 8.0)
Updated•7 years ago
|
Whiteboard: [adv-main59+]
Updated•7 years ago
|
Alias: CVE-2018-5138
Comment 14•7 years ago
|
||
If Focus for Android is set as the default browser, does it have this same problem with Custom Tabs?
Flags: needinfo?(kbrosnan)
Updated•7 years ago
|
Flags: needinfo?(kbrosnan)
Updated•5 years ago
|
Flags: sec-bounty-hof+
Updated•4 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
Updated•8 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•