1493182 - external protocol handlers opened without asking first

Status: RESOLVED FIXED

(Firefox for iOS :: General, defect)

Description

[Yiğit Can YILMAZ]

Attachment: team.png

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

Steps to reproduce:

A Website can open the application without user permission with Firefox iOS Application and A website can command the any application with Firefox iOS Application.

A website can create a chain. Website can redirecting system applications with this bug . Website can do it consistently for some ads or malafide(+18 App Store app redirecting or +18 Personnel Phone Numbers can open in Messages. Website can create a erotic or spam content mail.)People may encounter things they do not want to see.People can be in a difficult situation next to their friends.Question function should be add(for example: "Do you want open it in Messages ? " or "Do you want open it in Mail ?" or "Do you want open it in App Store ?")

Many application developers have added question about this issue(for example: "Do you want open it in Messages ? " or "Do you want open it in Mail ?" or "Do you want open it in App Store ?")

You can see Safari for example

What the Apple Product Security Team is saying about this?:
Please look : (team.png)

Steps to reproduce:
1- Download Firefox for iOS in App Store
2- Open the this website with firefox iOS : http://yigitcanyilmaz.hol.es/scheme
3- Wait


Actual results:

Firefox opened an application without user permission.




Expected results:

Firefox should be ask question

Comment 1

[Daniel Veditz [:dveditz]]

Like Firefox for Desktop and Firefox for Android, we should be asking the user's permission before handing unknown things off to the OS (protocols or content-types).

* It's OK to have a whitelist of "safe" schemes that are such standard things that users will expect to "just work". These must not complete an action (sending mail, making a call) but it's OK to open the equivalent of a "compose" page in another app. In Firefox for Android we decided that "sms:" used in your testcase is in fact one of those (see bug 819554). We also don't prompt for "mailto:" and "tel:" (bug 589403).

* It's OK to remember the user's choice for the future but better if that's not the default (just because safesite.com is non-maliciously launching iTunes doesn't mean you want any random site to be able to start playing things). If we remember things permanently then the user needs a way to clear it.
--> one option might be to remember permanently by default for each protocol/origin pair, but clear it if the user chooses "forget about this site". The easiest option is to not remember things at all and just ask each time. How common is it (apart from the ones we want to whitelist above)?

Stefan: Who can look into this for Firefox for iOS

Susheel: please check that Focus for iOS and Android behave appropriately and clone separate bugs if not.

Comment 2

[:sdaswani]

Removing my NI since this is FF iOS, Stefan will handle.

Comment 3

[Yiğit Can YILMAZ]

Can you give me bounty ?

Comment 4

[Yiğit Can YILMAZ]

Hello,
can you give me bounty ?

Comment 5

[Yiğit Can YILMAZ]

Hello,
Can you give me bug bounty ?

Regards,
Yiğit

Comment 6

[Daniel Veditz [:dveditz]]

Bounty discussions are separate from the engineers working on the bug. Please mail security@mozilla.org for updates.

Comment 7

[Daniel Veditz [:dveditz]]

(In reply to :sdaswani only needinfo from comment #2)
> Removing my NI since this is FF iOS, Stefan will handle.

No, the question to you was to check if Focus for Android had the same broken behavior, and clone a bug for it if so.

Comment 8

[:sdaswani]

https://github.com/mozilla-mobile/focus-android/issues/3723

Comment 9

[Sawyer Blatz [:sblatz]]

This seems to be a non-issue on Focus Android. We are already displaying this prompt: https://drive.google.com/file/d/1cih2oMdqvL7zKQsoFpKcYSGNyTjoG5SG/view?usp=sharing.


Is this insufficient?

Comment 10

[:sdaswani]

NI'ing Dan to respond to this comment. https://bugzilla.mozilla.org/show_bug.cgi?id=1493182#c9

Comment 11

[Daniel Veditz [:dveditz]]

If we do that consistently when an external app is opened from Focus then that's fine.

Comment 12

[Yiğit Can YILMAZ]

Hello,
I want to learn situation.

Comment 13

[Daniel Veditz [:dveditz]]

needinfo -> st3fan or another Firefox for iOS person. For SMS in particular (the example in your now-gone testcase) we explicitly chose not to ask the user in Firefox for Android (see comment 1) and do ask in Focus. Either is a valid choice for SMS, tel, and mailto (personally I would prefer being asked). Other protocols should prompt the user (but without an iOS device to test on I don't know whether we do or don't, thus the needinfo?st3fan).

Comment 14

[Yiğit Can YILMAZ]

Hello,
I want to learn situation.

Best Regards,
Yiğit

Comment 15

[Daniel Veditz [:dveditz]]

me too!

Comment 16

[Yiğit Can YILMAZ]

Hello,
What do you think we should do to learn?

Comment 17

[Yiğit Can YILMAZ]

Hello,
I'm waiting for bug bounty.

Best Regards,
Yiğit

Comment 18

[Daniel Veditz [:dveditz]]

Developers in bugs don't deal with or know about bounties. mail security@mozilla as described in the bounty program.

Comment 19

[Yiğit Can YILMAZ]

Hello,
Mozilla firefox team has solved this problem ? It has been 7 months. I am concerned whether the iOS team is working on this issue.
Please solve this issue.

Comment 20

[:garvan]

Steps to reproduce:
1- Download Firefox for iOS in App Store
2- Open the this website with firefox iOS : http://yigitcanyilmaz.hol.es/scheme
3- Wait

The repro page is no longer up.

Comment 21

[Yiğit Can YILMAZ]

Hello,
New proof of concept is here : https://yigittestman.000webhostapp.com/redirect . Please check it.

Thanks,
Yiğit Can YILMAZ

Comment 22

[:garvan]

Confirmed bug is still happening. I'll fix this.

Daniel: We should do a bug bounty for this one.

Comment 23

[:garvan]

PR https://github.com/mozilla-mobile/firefox-ios/pull/4906

Comment 24

[:garvan]

Will go out in Firefox 18.
Is a low-risk issue as there would be additional steps a user would have to take after the URL opened a draft mail or draft SMS.

Comment 25

[Yiğit Can YILMAZ]

Hello,
I want to bug bounty.

Comment 26

[:garvan]

Reporter: Daniel is need-info'd for this already.

Comment 27

[Daniel Veditz [:dveditz]]

The bug is already flagged for bounty consideration. Now that it's fixed it will be discussed at our next meeting (about a week).

Comment 29

[Daniel Veditz [:dveditz]]

You've made that repeatedly clear. pestering me about it won't speed other people and scheduled meetings in any way. This is completely off topic for the bug. If you want to talk about the bounty talk to the mail address mentioned in the bug bounty program page.

Comment 30

[Al Billings [:abillings - ex-MoCo]]

Making this a sec-low issue on examination. This does not qualify for a bounty as a sec-low issue because the protocols in question are not dangerous and require a prompt before sending.

If you have questions, please email security@mozilla.org instead of leaving repeated off-topic comments here in the bug.