Certificate installation via data attribute inside the <img> tag
Categories
(Core :: Security: PSM, defect, P3)
Tracking
()
People
(Reporter: antoniozekic, Unassigned)
References
Details
(Whiteboard: [reporter-external] [client-bounty-form] [verif?][psm-backlog])
Attachments
(1 file)
|
2.36 MB,
application/zip
|
Details |
When using data attribute inside the <img> tag, it is possible to add application/x-x509-ca-cert;base64,base64data==, e.g.
<img src="data:application/x-x509-ca-cert;base64,base64data==" />
This can be observed on the attached "Screen Shot 1.png", where an image preview error icon shows on page load.
Right-clicking the icon and selecting the "View Image" option as seen on "Screen Shot 2.png" where a certificate installation is offered like on "Screen Shot 3.png".
This is obviously an unintended application behavior that provides an attacker with a possibility to trick the user in order to install the malicious certificate on his device by using some form of social engineering.
Screenshots as well as html file with mentioned tags and attributes are provided in an attachment.
The issue was tested on 64.0.2 (64-bit) on both the Windows and macOS platforms.
|
Reporter | |
Updated•5 years ago
|
|
||
Comment 1•5 years ago
|
||
Hm, interesting find, I'm not sure whether this is really a bug or something that needs to stay hidden, though. Firefox allows you to install certificates from the web, which has rightfully been a point of discussion for a long time. Wouldn't directly linking to a CA cert trigger the same dialog as well?
As far as I know, however, at this point we don't have a great alternative, especially for enterprise deployments.
Dana, any thoughts on this?
|
|
Reporter | |
Comment 2•5 years ago
|
||
Sure, directly linking to a CA certificate triggers the same dialog. However (considering the scenario) it clearly isn't intended application behavior in which case handling it differently would reduce the risk. That is, if you agree. Anyway I should leave this for you to discuss.
|
||
Updated•5 years ago
|
Neat trick, but this isn't fundamentally different from serving up a CA cert as a file and hoping (or tricking using some "make sure you click ok!" pre-prompt) that the user installs it. See also bug 1024871.
|
||
Comment 4•5 years ago
•
|
||
unexpected behavior, but doesn't need to be hidden. I don't know that we'd fix the "View Image" bit independently of bug 1024871 so maybe this is functionally a dupe, but for now I've made it "depend on".
|
|
Reporter | |
Comment 5•5 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #4)
unexpected behavior, but doesn't need to be hidden. I don't know that we'd fix the "View Image" bit independently of bug 1024871 so maybe this is functionally a dupe, but for know I've made it "depend on".
Is there a way to fix the "View image" behavior independently? If it's not an image (i.e. application/x-x509-ca-cert), should it even be an option?
|
|
Reporter | |
Updated•5 years ago
|
|
|
||
Comment 6•5 years ago
|
||
That would be a UX question (probably better to ask via IRC or on dev-firefox than moving this bug to the Firefox product). I suspect that the part of the product UI that generates menus only knows the image is broken--maybe not even that!--but not any details of why it's broken (server down? HTTP error status? invalid content type? valid type but corrupt?)
|
|
||
Updated•5 years ago
|
|
|
Reporter | |
Comment 8•3 years ago
|
||
You should reconsider this as a product security issue rather than just a duplicate, now that it's been resolved (1024871).
It does not qualify for a bounty or anything like that, however, there was a risk and the issue was present for three years.
Description
•