Additional Firefox iOS webkit.messagehandler SECURITY_TOKEN check bypass
Categories
(Firefox for iOS :: General, task)
Tracking
()
| Tracking | Status | |
|---|---|---|
| fxios | ? | --- |
People
(Reporter: dveditz, Assigned: garvan)
References
Details
(Keywords: csectype-priv-escalation, sec-high)
+++ This bug was initially created as a clone of Bug #1604804 +++
Bug 1604804 fixed a problem where a web page could call our download handler directly and bypass a securityToken check. There are apparently other places that have the same problem (bug 1604804 comment 10), though the only place I found that used the same checking pattern doesn't look bypassable: https://github.com/mozilla-mobile/firefox-ios/blob/327aa1280c4c4962fc0b0d2836d58caf6c67cb2a/content-blocker-lib-ios/js/TrackingProtectionStats.js#L25
We've defined other webkit.messageHandlers, though, and others don't have a securityToken check at all. Can these be called directly from web content too? The FxA one in particular seems scary on the surface if so.
https://github.com/mozilla-mobile/firefox-ios/search?q=webkit.messageHandlers&unscoped_q=webkit.messageHandlers
We need to double-check all these exposed interfaces.
|
Reporter | |
Updated•6 years ago
|
|
|
Reporter | |
Updated•6 years ago
|
webkit.messageHandlers can be called by any web content, it is up to the receiver to handle security of this.
FxA messages are guarded by origin: https://github.com/mozilla-mobile/firefox-ios/blob/master/Client/Frontend/Settings/FxAContentViewController.swift#L261
LoginsHelper should have a sec token added: https://github.com/mozilla-mobile/firefox-ios/blob/master/Client/Frontend/Browser/LoginsHelper.swift#L92
I suspect ReaderMode needs a sec token as well
I'll fix these cases
|
|
Reporter | |
Comment 3•6 years ago
|
||
Awesome--thanks!
|
|
Reporter | |
Updated•6 years ago
|
|
|
Reporter | |
Updated•5 years ago
|
Description
•