Closed Bug 1441193 Opened 4 years ago Closed 2 years ago

Firefox for Android: A specially-crafted HTML file leads to a Bug which will download all WebPages instead to load these WebPages and can lead to Same-Origin Policy Bypass


(Firefox for Android Graveyard :: General, defect, P3)

58 Branch


(Not tracked)



(Reporter: jordi.chancel, Unassigned)




(Keywords: sec-moderate)


(2 files)

Attached file video demo.html
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20180219114835

Steps to reproduce:


The Malicious Webpage contains a first link to open a specially-crafted HTML file leading to a bug which will download all Webpages instead to go on these WebPages
If an user is connected on his account and go to the Malicious Webpage on the Attacker's server,
The malicious Webpage contains a 2nd link to ,
When the user clicks on this 2nd link, a file "user_profile" will be automatically downloaded and the source-code of this file has the same content as when the user is connected on his account (so the file downloaded contains sensitive/private information about the user and his account).

The Malicious WebPage has also previously downloaded an HTML file (open-me.html) to steal the content of the downloaded file "user_profile" and send it to the attacker's server

(The Video Demo in Attachements will show you how this vulnerability works)
/!\ A better testcase with less user interaction can be coded /!\

With this vulnerability it is also possible to download automatically the content of the local file: browser.db using the view-source: URL 
(eg: view-source:file:///data/data/org.mozilla.firefox/files/mozilla/????.default/browser.db )
I will make another testcase and video demo to demonstrate that.

Actual results:

This can lead to Same-Origin Policy Bypass

Expected results:

A possibility to fixe this bug need to know why webpages are downloaded after that the specially-crafted HTML file is loaded in Firefox for Android.
To summarize my understanding:
- The user is logged into an account with private information
- The user visits the malicious page and clicks a link to download a malicious HTML file
- The user clicks a link to download an HTML page with their private information
- The user opens the malicious HTML file, which copies the HTML page with their private information to the attacker's server, violating the Same-Origin Policy

In the video, I'm not sure the significance of clicking a link and waiting for a non-responsive script, but I imagine it's important to these steps above.

[triage] The end result is really bad but it seems like it requires a lot of user intervention (and it's sec-moderate) so I'm going to call this non-critical. Please NI me if you disagree.

NI Susheel to verify my thinking.
Flags: needinfo?(sdaswani)
Priority: -- → P3
Flags: needinfo?(sdaswani)
It is the video demo demonstrating that we can steal the content of the local file "file:///data/data/org.mozilla.firefox/files/mozilla/1234.default/browser.db".
This is an Android dupe of many bugs about the save-as functionality combined with our "same-directory" file:// origin policy. This is not something that we would or could solve for Android only -- it's a Gecko issue.
Ever confirmed: true
Group: firefox-core-security → mobile-core-security

This was fixed in the browser engine by making all files a unique origin (see bug 803143 and its dependencies).

Closed: 2 years ago
Depends on: 803143
Flags: sec-bounty? → sec-bounty-
Resolution: --- → FIXED
Group: core-security-release
Group: mobile-core-security, core-security-release
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.