Persistent Denial of Service via External URI Schemes
Categories
(Firefox for iOS :: General, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| fxios | ? | --- |
People
(Reporter: 0xsobky, Assigned: garvan)
Details
(Keywords: csectype-dos, reporter-external, sec-moderate)
Attachments
(1 file)
|
1.42 KB,
image/png
|
Details |
qrcode.png
While Firefox for iOS shows a confirmation dialog for some URI schemes (e.g., sms: and mailto:), it fails to do so with iOS-specific URI schemes such as photos-redirect:, music:, videos:, shareddocuments:, as well as other standard URI schemes (e.g., ftp: and feed:).
A malicious attacker could abuse these URI schemes to make Firefox (and probably the entire iOS system) completely unusable through a simple redirection loop. The following is a proof of concept:
===
Shortened PoC URL: http://bit.ly/iosdos
Full PoC URL: https://chpoc.herokuapp.com/index.php?url=data:text/html,<script>setInterval(%27location="ftp://example.com"%27)</script>
===
Visiting the link above will cause Firefox to repeatedly open an external app (Safari) without giving the user a chance to close the current tab (which also persists after an app/system restart). Here is also a screen recording of what happens exactly: https://youtu.be/Fm2fFPQ6Otw.
For a quick repro, simply scan the attached QR code :-)
|
||
Comment 2•5 years ago
|
||
The priority flag is not set for this bug.
:garvan, could you have a look please?
For more information, please visit auto_nag documentation.
|
||
Comment 5•5 years ago
|
||
Does that mean we can mark this bug "fixed"?
|
|
||
Updated•5 years ago
|
oops, closing as fixed by that PR yes.
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
||
Updated•11 months ago
|
Description
•