Address bar spoof with dynamic address bar
Categories
(Focus :: General, defect)
Tracking
(Not tracked)
People
(Reporter: nikhil.mittal641, Assigned: fluffyemily)
References
Details
(Keywords: csectype-spoof, sec-high, Whiteboard: [geckoview:fenix:p2])
Attachments
(1 file)
126.84 KB,
text/html
|
Details |
Comment 1•6 years ago
|
||
Comment 2•6 years ago
|
||
Comment 3•6 years ago
|
||
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment hidden (obsolete) |
Comment hidden (off-topic) |
Comment hidden (off-topic) |
Comment 8•5 years ago
|
||
Assigning to Stefan to figure out next steps (and follow up on comment 7).
Updated•5 years ago
|
Comment 9•5 years ago
|
||
Colin, would you mind verifying this bug on both Fenix and Focus?
I'm specially interested to understand whether this bug applies to Fenix or not. Although this bug is filed in the Fenix component here on Bugzilla, it seems to be only reported for Focus and Rocket.
Comment 10•5 years ago
|
||
Max, can your team verify this for Rocket? With Rocket having Focus as a starting point, we can probably collaborate on a good fix?
Comment 11•5 years ago
|
||
(In reply to Stefan Arentz [:st3fan] from comment #9)
Colin, would you mind verifying this bug on both Fenix and Focus?
I'm specially interested to understand whether this bug applies to Fenix or not. Although this bug is filed in the Fenix component here on Bugzilla, it seems to be only reported for Focus and Rocket.
Chris muddied this bug by moving it from Focus where it was reported. It does not apply to Fenix because we have a fixed address bar. It is something we should keep in mind for enabling the dynamic toolbar. Maybe it should be moved back to Focus and a Fenix issue opened to track not repeating previous problems?
Comment 12•5 years ago
|
||
Colin, it will also be interesting to know whether this bug applies to the GeckoView or WebView version of Focus.
Comment 13•5 years ago
|
||
For Firefox Lite (Rocket) bug 1491553 exists which is exactly the same as this one. As they are separate products it makes sense to track the issues individually.
Comment 14•5 years ago
|
||
(In reply to Kevin Brosnan [:kbrosnan] from comment #11)
Maybe it should be moved back to Focus and a Fenix issue opened to track not repeating previous problems?
I moved the bug back to Focus.
Paul's team specifically tested URL bar spoofing on Fenix and this specific case did not come back as an issue afaik - Asking Paul because I think Freddy (who did the tests) is on leave until the end of the month.
Updated•5 years ago
|
Updated•5 years ago
|
Comment 15•5 years ago
|
||
On Firefox Focus running GeckoView, the exploit code appears to reload a page in an infinite loop after pressing the Goto Gmail button and does not present any web content. If I slow down the setInterval call, it shows a Gmail login with a fully-qualified URL, but it appears to be the real page loaded and not a spoof (or it would have a spoofed URL as used in the code, https://www.google.com).
On Firefox Focus running WebView, the exploit code loads the site for https://www.google.com and not a Gmail login form. If I slow down the setInterval call, it shows the Gmail homepage with a fully-qualified URL, but it appears to be the real page loaded and not a spoof.
While it's possible there is an exploit here, it does not appear to be working as intended on Firefox Focus.
Comment 16•5 years ago
|
||
(In reply to Kevin Brosnan [:kbrosnan] from comment #13)
For Firefox Lite (Rocket) bug 1491553 exists which is exactly the same as
this one. As they are separate products it makes sense to track the issues
individually.
I don't think it is clear whether these two bugs are the same.
To me it sounds like this bug is a real url bar spoofing one (showing the wrong URL in the native URL bar) while the one filed in Rocket is a UI spoof (it renders the focus url bar in html).
Can anyone confirm that?
Comment 17•5 years ago
•
|
||
Regarding Fenix, I see the same behavior as Focus GeckoView.
There's confusion about how this spoofing bug works. There's no way a dynamic URL bar is relevant to this bug, since it doesn't appear to fake the UI of the URL bar. The exploit, if it works, appears to function by navigating to an exploit site followed by navigating to the real Google site, but the exploit never intends to actually arrive there.
The hope is that the user will type their username and password into the exploit site and submit it while the exploit code is still looping. However, I haven't actually witnessed the exploit site getting loaded before the looping begins. Nor have I seen the spoof URL appear.
(In reply to Stefan Arentz [:st3fan] from comment #14)
(In reply to Kevin Brosnan [:kbrosnan] from comment #11)
Maybe it should be moved back to Focus and a Fenix issue opened to track not repeating previous problems?
I moved the bug back to Focus.
Paul's team specifically tested URL bar spoofing on Fenix and this specific case did not come back as an issue afaik - Asking Paul because I think Freddy (who did the tests) is on leave until the end of the month.
Freddy did do testing here, and I don't believe he found any issues. Testing was mainly focused on previous vectors though so that isnt to say that there might not be a new as yet undiscovered approach. However from my own testing, this bug appears to be invalid for Fenix. The phone just seem to hang in a loop of reloading, with the address bar displaying the page where the test page was loaded. Eventually android killed it (presumably OOM). Which is presumably in line with the assessment in comment 11.
Comment 19•5 years ago
|
||
(In reply to Colin Lee from comment #15)
On Firefox Focus running GeckoView, the exploit code appears to reload a page in an infinite loop after pressing the Goto Gmail button and does not present any web content. If I slow down the setInterval call, it shows a Gmail login with a fully-qualified URL, but it appears to be the real page loaded and not a spoof (or it would have a spoofed URL as used in the code, https://www.google.com).
On Firefox Focus running WebView, the exploit code loads the site for https://www.google.com and not a Gmail login form. If I slow down the setInterval call, it shows the Gmail homepage with a fully-qualified URL, but it appears to be the real page loaded and not a spoof.
Thanks Colin, while it sounds like a GV user is not exploited I think we want something more like the webview behavior. I'll move this to GV for triage.
(Note fix at https://bugs.chromium.org/p/chromium/issues/detail?id=622183)
(In reply to Stefan Arentz [:st3fan] from comment #10)
Max, can your team verify this for Rocket? With Rocket having Focus as a starting point, we can probably collaborate on a good fix?
There is a separate bug for Rocket and given the WV behavior I think we are good there (per Max).
Comment 20•5 years ago
|
||
Dan ok to lower sec rating given last few comments?
Comment 21•5 years ago
|
||
The addressbar is not implemented by "GeckoView", it is a property of each browser's UI. in theory maybe GV needs to expose navigation events or some such to browsers, but there's no hint that's going on here and per Paul there's been testing. Moving this back to Focus, the original bug report.
Comment 22•5 years ago
|
||
Like Colin, I cannot reproduce this in the Focus version I get from the Play Store.
Assignee | ||
Updated•5 years ago
|
Updated•5 years ago
|
Updated•2 years ago
|
Description
•