Bug 1479311 (CVE-2018-12382)

Firefox for Android - AddressBar Spoofing using specially-crafted javascript: URL opened in a new tab

VERIFIED FIXED in Firefox 62

Status

()

defect
VERIFIED FIXED
9 months ago
8 months ago

People

(Reporter: jordi.chancel, Assigned: JanH)

Tracking

({csectype-spoof, regression, sec-low})

Firefox 61
Firefox 63
All
Android
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(firefox61 wontfix, firefox62 verified, firefox63 fixed)

Details

(Whiteboard: [adv-main62+], URL)

Attachments

(2 attachments)

(Reporter)

Description

9 months ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:61.0) Gecko/20100101 Firefox/61.0
Build ID: 20180604143143

Steps to reproduce:

When a Malicious web-page on an Attacker Web-Site opens a javascript: URL containing the Attacker Domain 
(Example: Attacker Domain = www.yyy.com ;  javascript URL opened = javascript: [codes] + www.yyy.com + [codes] ) , 
the Attacker Domain is visible at the right into the AddressBar and covers the javascript: Protocol, 
so at the left into the AddressBar it is possible to show another Domain (ex: www.google.com ; www.bankofamerica.com …).

This can lead to AddressBar Spoofing (The Video Demo in Attachments will show you how this vulnerability works).

STR:
-1) Go to the TestCase URL and Click on the « ClickMe » link (The specially-crafted javascript: URL is now opened in a new tab).

This javascript: URL opened in a new tab can lead to AddressBar Spoofing.



Actual results:

The specially-crafted javascript: URL can lead to AddressBar Spoofing (As demonstrated in the video-demo in Attachments).


Expected results:

A possibility to fix this vulnerability: the specially-crafted javascript URL should be visible like others javascript URL (The javascript protocol should be always visible into the Address Bar)
(Reporter)

Comment 1

9 months ago
Posted file Video-demo.html
The Video-demo.
Flags: sec-bounty?
Group: firefox-core-security
(Assignee)

Comment 2

9 months ago
I guess we shouldn't attempt to do domain highlighting (which is what drives the scrolling of the URL) for URLs starting with "javacript:" here: https://dxr.mozilla.org/mozilla-central/rev/a2d65d03e46a9a42b5bee5c2a7864d3f987a8ca7/mobile/android/app/src/photon/java/org/mozilla/gecko/toolbar/ToolbarDisplayLayout.java#331
Assignee: nobody → jh+bugzilla
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Unspecified → Android
Hardware: Unspecified → All
Comment on attachment 8997537 [details]
Bug 1479311 - Don't attempt finding and highlighting a tab's base domain within a javascript: URL.

https://reviewboard.mozilla.org/r/261256/#review268954
Attachment #8997537 - Flags: review?(snorp) → review+

Comment 5

9 months ago
Pushed by mozilla@buttercookie.de:
https://hg.mozilla.org/integration/autoland/rev/bf82b74a7db7
Don't attempt finding and highlighting a tab's base domain within a javascript: URL. r=snorp

Comment 6

9 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/bf82b74a7db7
Status: NEW → RESOLVED
Last Resolved: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 63
(Assignee)

Comment 7

8 months ago
Comment on attachment 8997537 [details]
Bug 1479311 - Don't attempt finding and highlighting a tab's base domain within a javascript: URL.

Approval Request Comment
[Feature/Bug causing the regression]: URL bar domain highlighting in combination with bug 1271998
[User impact if declined]: A tab's base domain contained within a "javascript:" URL might incorrectly be highlighted and scrolled to, obscuring the fact that the URL is in fact a "javascript:" URL.
[Is this code covered by automated tests?]: No.
[Has the fix been verified in Nightly?]: Yes.
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: No.
[Why is the change risky/not risky?]: Just adding a check for the "javascript:" protocol in the domain highlighting code.
[String changes made/needed]: None.
Attachment #8997537 - Flags: approval-mozilla-beta?
Comment on attachment 8997537 [details]
Bug 1479311 - Don't attempt finding and highlighting a tab's base domain within a javascript: URL.

Adding a simple check for protocol; let's uplift for beta 18.
Attachment #8997537 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Whiteboard: [adv-main62+]

Comment 10

8 months ago
Verified as fixed on Beta 62.0b19, javascript:setTimeout is visible in the URL bar.
Marking as verified since it won't fix 61.
Status: RESOLVED → VERIFIED
Unfortunately does not qualify for our bug bounty program
Blocks: 1271998
Flags: sec-bounty? → sec-bounty-
Keywords: regression
Alias: CVE-2018-12382
You need to log in before you can comment on or make changes to this bug.