Closed Bug 1432624 (CVE-2018-5138) Opened 7 years ago Closed 7 years ago

Firefox Custom Tabs have a phishing risk

Categories

(Firefox for Android Graveyard :: Custom Tabs, defect, P1)

Product:
Firefox for Android Graveyard
Component:
Custom Tabs
Version:
57 Branch
Type:
defect

Tracking

(fennec+, firefox58 wontfix, firefox59 verified, firefox60 verified)

Status:
VERIFIED FIXED
Milestone:
Firefox 60
Tracking Flags:
Tracking Status
fennec + ---
firefox58 --- wontfix
firefox59 --- verified
firefox60 --- verified

People

(Reporter: 5i13ghzt462u, Assigned: droeh)

Details

(Keywords: csectype-spoof, reporter-external, sec-low, Whiteboard: [adv-main59+])

Attachments

(2 files)

Custom Tab does not show the main domain, making phishing attacks easy
4.06 MB, video/mp4
Details
Left-truncate and ellipsize domain name in custom tabs action bar
1.95 KB, patch
snorp
: review+
RyanVM
: approval-mozilla-beta+
Details | Diff | Splinter Review
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID: 20180104170325 Steps to reproduce: Open a site with very long domain (and, maybe, multiple subdomains) in Firefox Custom Tabs. E.g. consider this URL: https://paypal.com.securelogin.fakephissite.com/something?auth=whatever As for testing (as a proof of concept) you can use this URL: https://long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com/?q=mnfdkjhfjksdhfjhjhfjdshjkfhsksdkjhg-greatwebsite Open it in a custom tab. (navigate to it in some way as you want) Actual results: In the attached video you see that the main domain ("badssl.com") is not shown in Firefox Custom Tabs, but mostly the long subdomain, but in Firefox on Android itself it is correctly shown (and even highlighted, as you can see in the video). That means if it were a paypal phishing site, It would display the URL as such: https://paypal.com…?auth=whatever I.e. it tries to show the beginning and end of the URL. But that is wrong from a security perspective, because as you can see, the user thinks they are on paypal.com now, while they are on fakephissite.com! And as any Android app can open URLs in Custom Tabs (e.g. mail apps), any URL can be untrustworthy (from untrusted sources as any mail, social media or whereever the app fetches the addresses from), so you cannot assume the URL is legit. Of course, you can _nevber_ assume that user/third-party app input is trustworthy. Expected results: As in Firefox, do show (and potentially even highlight) the main domain and *not* the subdomain. Do not abbreviate the main domain.
Status: UNCONFIRMED → NEW
tracking-fennec: --- → ?
Ever confirmed: true
Flags: sec-bounty?
We've changed the behavior since, adding ellipsis which isn't great but better than the current one. We also have a bug to make it scrollable instead.
Sorry, your video _is_ with the ellipsis (bug 1393504). That was better than nothing but we knew it was insufficient: see bug 1393404 comment 4. We don't seem to have a follow-up bug to do that, however, so this can be it. Snorp: I'm not sure what the limits are on Custom Tab headers. Do we have the control to make it scrollable? If not maybe we can add the "real URL" to the menu for people who want to look it up. We might just show the domain (as Safari does), though 1) a really really long domain (e.g. the badssl example here) still gets truncated, and 2) there still needs to be some way for users to see/copy the full url. "Open in Firefox" works, I guess, but that's a long way to go Since this was a known problem discussed in a public bug I don't think we need to keep this one hidden.
Group: firefox-core-security
Flags: needinfo?(snorp)
Keywords: csectype-spoof, sec-low
It should be possible to make it scrollable, but a frontend person (once we have those again) would know better. One thing we could also try to do is add the full url to the little popup that is shown when you click the lock icon (or whatever it is when on an insecure site).
Flags: needinfo?(snorp)
Assignee: nobody → droeh
tracking-fennec: ? → +
Priority: -- → P1
This displays the domain name rather than full URL and left-truncates/ellipsizes it in the custom tabs action bar, which should do a better job making phishing attempts obvious. We can file a follow-up to do something nicer when we have frontend people working on this if desired.
Attachment #8949020 - Flags: review?(snorp)
Attachment #8949020 - Flags: review?(snorp) → review+
Pushed by droeh@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/3add3eea31b5 Left-truncate and ellipsize domain in custom tabs to reduce phishing risk. r=snorp
https://hg.mozilla.org/mozilla-central/rev/3add3eea31b5
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox60: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 60
This is ineligible for bug bounty as a low rated security issue.
Flags: sec-bounty? → sec-bounty-
Verified as fixed on latest Nightly - CustomTabs build following the steps from description. Device: Nexus 6 (Android 6.0.1).
Status: RESOLVED → VERIFIED
status-firefox60: fixedverified
Please nominate this for Beta approval when you get a chance. It grafts cleanly as-landed.
status-firefox58: --- → wontfix
status-firefox59: --- → affected
Flags: needinfo?(droeh)
Comment on attachment 8949020 [details] [diff] [review] Left-truncate and ellipsize domain name in custom tabs action bar Approval Request Comment [Feature/Bug causing the regression]: Custom tabs [User impact if declined]: Potential phishing risk, as we may display a url with misleading truncation [Is this code covered by automated tests?]: No [Has the fix been verified in Nightly?]: Yes [Needs manual test from QE? If yes, steps to reproduce]: Load a custom tab on any site with a domain name long enough to be truncated and confirm that it is truncated on the left [List of other uplifts needed for the feature/fix]: [Is the change risky?]: No [Why is the change risky/not risky?]: Just a simple change to how we format/display the url [String changes made/needed]: None
Flags: needinfo?(droeh)
Attachment #8949020 - Flags: approval-mozilla-beta?
Comment on attachment 8949020 [details] [diff] [review] Left-truncate and ellipsize domain name in custom tabs action bar Fixes a sec issue and verified on Nightly. Let's take this for 59b13.
Attachment #8949020 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Verified as fixed on Beta 59.0b13. LG G4 (Android 5.1) HTC 10 (Android 8.0)
status-firefox59: fixedverified
Whiteboard: [adv-main59+]
Alias: CVE-2018-5138
If Focus for Android is set as the default browser, does it have this same problem with Custom Tabs?
Flags: needinfo?(kbrosnan)
Flags: needinfo?(kbrosnan)
Flags: sec-bounty-hof+
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: