1457692 - The about:home(about:newtab) page will accept clicks to open privileged content while framed in recent nightly builds

Status: RESOLVED FIXED

(Firefox :: New Tab Page, defect, P1)

Description

[Cody Crews]

Attachment: homeClickJack.html

In recent nightly builds it's possible to perform click jacking to open privileged content(about:preferences).  This is possible because multiple changes, the first being that about:home now simply loads about:newtab.

The next problem is that the about:home page will now accept clicks while framed for buttons displayed that open privileged content.  In the past, about:home could be loaded from content, but if framed the buttons that open privileged content would not accept mouse events.

Content can not even load about:newtab, so if this is the desired behavior why can content load about:home?

I'm attaching a testcase that shows click jacking performed on about:home(about:newtab) targeting the settings/preferences button.  The movement tracking could be cleaner, and for an actual attack iframe.style.opacity = 0 would obviously be used.

Comment 1

[:Gijs (away/busy until Mar 10)]

[Tracking Requested - why for this release]:
Security regression.


This isn't an issue in 60 because that button doesn't open the preferences. Looks like that changed in nightly.

(In reply to Cody Crews from comment #0)
> Content can not even load about:newtab, so if this is the desired behavior
> why can content load about:home?

Because content has always been able to load about:home (ugh) and changing it while keeping support for the non-Activity-stream about:home was difficult. Aligning this with about:newtab is bug 1438367. There it's also noted that (even though old about:home is gone now) there'll be issues with syncing indexeddb storage because the origins are different depending on the linkable flag (x-ref bug 1228118 and particularly the comment there that mentions indexeddb).

So in other words, this is not super easy to fix. But I think we should try to increase the priority for bug 1438367 as a result of this bug. With bug 1438368 fixed I think we should just push ahead with the origin change and do a one-time migration of blocked items. Mardak, does that sound OK and does someone on your team have cycles to do that for 61?

If not, a short-term mitigation here would be to not enable this button if the document is framed (heck, I think we shouldn't do anything in about:home/about:newtab if we're framed, not even display tiles). But that's ugly and paints a bit of a target over what's possible here, and I wouldn't like to encourage people to find more inventive ways of exploiting the frame-ability of about:home that exists even in 60.

Comment 2

[Ed Lee :Mardak]

Could a workaround also just check if window.top === window?

Comment 3

[Cody Crews]

(In reply to Ed Lee :Mardak from comment #2)
> Could a workaround also just check if window.top === window?

This was my thoughts originally.  Seems like the old behavior was simple enough.  If there's anything I can do to help these fixes along, let me know.  I have some data/time limitations that could be considered extreme, but I would love to get back into things :)

Comment 4

[:Gijs (away/busy until Mar 10)]

(In reply to Ed Lee :Mardak from comment #2)
> Could a workaround also just check if window.top === window?

Right, for a workaround that's fine. The "proper" fix remains fixing the origin of about:home so web content can't link to it.

Comment 5

[Cody Crews]

I'll try to get this done, the problem is data and having to get a current source repository.  I'll see if I can work some magic, then maybe actually be able to get the patch ready tomorrow or ASAP either way.

Oh yeah, anyway we can get a sec-rating on here, and maybe a sec-bounty? flag :)

Comment 6

[Johann Hofmann [:johannh]]

(In reply to Cody Crews from comment #5)
> I'll try to get this done, the problem is data and having to get a current
> source repository.  I'll see if I can work some magic, then maybe actually
> be able to get the patch ready tomorrow or ASAP either way.
> 
> Oh yeah, anyway we can get a sec-rating on here, and maybe a sec-bounty?
> flag :)

For the bounty part, please see https://www.mozilla.org/en-US/security/client-bug-bounty/ (the bottom section)

Comment 7

[Cody Crews]

(In reply to Johann Hofmann [:johannh] - back on May 2nd from comment #6)
> (In reply to Cody Crews from comment #5)
> > I'll try to get this done, the problem is data and having to get a current
> > source repository.  I'll see if I can work some magic, then maybe actually
> > be able to get the patch ready tomorrow or ASAP either way.
> > 
> > Oh yeah, anyway we can get a sec-rating on here, and maybe a sec-bounty?
> > flag :)
> 
> For the bounty part, please see
> https://www.mozilla.org/en-US/security/client-bug-bounty/ (the bottom
> section)

Yeah I know the SOP for that.  I've been doing this a long time and used to you could just ask for it.  I'll send an email when I get the chance.

On another note, I'm having some of those data/time issues.  If anyone else can pick this up for the workaround fix then please feel free.

I'll let you all know if anything changes.  Thanks.

Comment 8

[Ed Lee :Mardak]

Attachment: v1 screenshot

I have a workaround checking top/window to clear out the page.

Comment 9

[Cody Crews]

I wasn't sure if we just wanted to disable the preferences button and keep most other functionality in tact or take this route.  I supposed this is better, so there isn't the possibility of loading about:newtab in a frame.

Interesting, I'll wait and see what people think.  Good thing I didn't get rolling on this, because I was just going to disable the pref button if window was framed, but this makes more sense I think.

Comment 10

[Ed Lee :Mardak]

The workaround landed in https://github.com/mozilla/activity-stream/pull/4128 to be exported with other changes as part of bug 1457543.

Bug 1438367 will be to remove MAKE_LINKABLE for about:home to match up with about:newtab.

Comment 11

[Paul Theriault [:pauljt] (no longer reading bugmail)]

This needs a security rating. My gut feel here is that the rating is "low": about:home is content privileged, and though it does have the UITour permission, as far as I know there isn't anything particularly sensitive you can do by just clicking. At least that is the conclusion I came to when I secreviewed this previously.  That said, it would be much preferable to remove the risk entirely so we don't cause an issue in the future. 

Actually I see that we noted both the idendexeddb [1] and "linkable" issue in the previous secreview [2]. Something we talked about the secreview meeting last year[2] was potentially adding a CSP meta tag to the page to prevent framing and inline scripts. Is that another option we could use here? 


[1] https://searchfox.org/mozilla-central/source/browser/components/about/AboutRedirector.cpp#80
[2] See the bottom of https://docs.google.com/document/d/1qLY_qc9c2Jvi0YBXBDW0tCXGs3mGkIDwjp7TE4mWGN4/edit#

Comment 12

[Cody Crews]

I think sec-low is a little low of the mark here, right?  I was hoping for at least a moderate here.  I think I got a sec-high/moderate for similar work showing you could open privileged pages from feeds a little more than a year ago.  If it is a sec-low, then sec-low it is.  

Seems like the rating guidelines must have changed, that's fully privileged content being opened from regular content with normal interaction(privilege escalation technically).

Things sure have changed :)

Comment 13

[Cody Crews]

Thought I should add too, I do this for the fun, but a little cash never hurts.  I'm in a complicated situation, maybe consider something better for my next work at least.  Sorry to sound like I'm complaining.  I've stayed extremely loyal to Mozilla through the years.

One of the very reasons was with Google some years back they dropped a sec-medium to a sec-low on day 55 with 60 being the payout deadline, and the guy who had the bug literally said he hadn't even ran the testcase.  Tides are changing everywhere I see.

Sorry, really am but I was counting on something from this to go with some other things to maybe help out my situation.  I'm actually glad I didn't spend even more time on things now.

Comment 14

[Daniel Veditz [:dveditz]]

(In reply to Cody Crews from comment #12)
> Seems like the rating guidelines must have changed, that's fully privileged
> content being opened from regular content with normal interaction(privilege
> escalation technically).

It's a specific privileged URL opened indirectly into a separate tab where the attacking page has no reference or influence. Not the same thing. It's violating our rules, but our rules are stricter than the actual security risks so we don't accidentally slip over the line into trouble. sec-low seems about right.

Comment 15

[Ed Lee :Mardak]

https://hg.mozilla.org/mozilla-central/rev/2c8338ffc0c0

Comment 16

[Cody Crews]

I would think loading about:newtab through about:home would be the first bug here, but I am out of touch.  It seems straight forward enough to me, and unintended by all means.  I'll just go elsewhere for future endeavors, I got a sec-high out of about:feeds content being able to open other privileged content by click on a link about a year and two months ago.

I know me going elsewhere doesn't mean you lose much now, but jeez look at those exploit prices for my old work on the black market lol.

Comment 17

[Cody Crews]

Business is business.

Comment 18

[Cody Crews]

I may take one more run at ff shortly here.  I may even see what else I can do with this, because I didn't follow up to the extreme.  I'm in a bad situation, very bad actually.  I thought hey theres a sec-moderate at least by the rating guidelines I know.  Tides are changing as I said.

You will hear from me.  Also who else would have noticed a change to about:homes behavior so soon as to it being introduced.  Oh well.  Sorry guys.  Life is what it is.

Comment 19

[Cody Crews]

Sorry about that before, it sounds like complaining.  As to the blackmarket exploits, I actually wouldn't and couldnt but those prices look tempting.  I was paid for a high with feeds opening protected content from a click some time back.

Sorry all around, just I need something to come together for sure.  Doing all I can to get back to this at a professional level but life isn't making it easy.

I'll be in touch, and ya know I'll bring something better to the table, or even increase on this.  Sorry guys, just stressing.

Later.

Comment 20

[Daniel Veditz [:dveditz]]

(In reply to Cody Crews from comment #16)
> I would think loading about:newtab through about:home would be the first bug here

Yes it is. That's a known issue: bug 1438367