Closed Bug 1441193 Opened 4 years ago Closed 2 years ago

Firefox for Android: A specially-crafted HTML file leads to a Bug which will download all WebPages instead to load these WebPages and can lead to Same-Origin Policy Bypass

Categories

(Firefox for Android Graveyard :: General, defect, P3)

58 Branch
defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: jordi.chancel, Unassigned)

References

()

Details

(Keywords: sec-moderate)

Attachments

(2 files)

Attached file video demo.html
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20180219114835

Steps to reproduce:

Explanation:

The Malicious Webpage contains a first link to open a specially-crafted HTML file leading to a bug which will download all Webpages instead to go on these WebPages
If an user is connected on his https://bugzilla.mozilla.org/ account and go to the Malicious Webpage on the Attacker's server,
The malicious Webpage contains a 2nd link to https://bugzilla.mozilla.org/user_profile ,
When the user clicks on this 2nd link, a file "user_profile" will be automatically downloaded and the source-code of this file has the same content as https://bugzilla.mozilla.org/user_profile when the user is connected on his account (so the file downloaded contains sensitive/private information about the user and his account).

The Malicious WebPage has also previously downloaded an HTML file (open-me.html) to steal the content of the downloaded file "user_profile" and send it to the attacker's server

(The Video Demo in Attachements will show you how this vulnerability works)
/!\ A better testcase with less user interaction can be coded /!\
------------------------------

With this vulnerability it is also possible to download automatically the content of the local file: browser.db using the view-source: URL 
(eg: view-source:file:///data/data/org.mozilla.firefox/files/mozilla/????.default/browser.db )
I will make another testcase and video demo to demonstrate that.


Actual results:

This can lead to Same-Origin Policy Bypass


Expected results:

A possibility to fixe this bug need to know why webpages are downloaded after that the specially-crafted HTML file is loaded in Firefox for Android.
To summarize my understanding:
- The user is logged into an account with private information
- The user visits the malicious page and clicks a link to download a malicious HTML file
- The user clicks a link to download an HTML page with their private information
- The user opens the malicious HTML file, which copies the HTML page with their private information to the attacker's server, violating the Same-Origin Policy

In the video, I'm not sure the significance of clicking a link and waiting for a non-responsive script, but I imagine it's important to these steps above.

[triage] The end result is really bad but it seems like it requires a lot of user intervention (and it's sec-moderate) so I'm going to call this non-critical. Please NI me if you disagree.

NI Susheel to verify my thinking.
Flags: needinfo?(sdaswani)
Priority: -- → P3
Agree.
Flags: needinfo?(sdaswani)
It is the video demo demonstrating that we can steal the content of the local file "file:///data/data/org.mozilla.firefox/files/mozilla/1234.default/browser.db".
This is an Android dupe of many bugs about the save-as functionality combined with our "same-directory" file:// origin policy. This is not something that we would or could solve for Android only -- it's a Gecko issue.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Group: firefox-core-security → mobile-core-security

This was fixed in the browser engine by making all files a unique origin (see bug 803143 and its dependencies).

Status: NEW → RESOLVED
Closed: 2 years ago
Depends on: 803143
Flags: sec-bounty? → sec-bounty-
Resolution: --- → FIXED
Group: core-security-release
Group: mobile-core-security, core-security-release
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.