Closed Bug 1622278 (CVE-2020-6827) Opened 5 years ago Closed 5 years ago

Firefox for Android custom tabs URL spoofing

Categories

(Firefox for Android Graveyard :: General, defect)

Product:
Firefox for Android Graveyard
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox-esr6875+ fixed, firefox73 unaffected, firefox74 unaffected, firefox75 unaffected, firefox76 unaffected)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr68 75+ fixed
firefox73 --- unaffected
firefox74 --- unaffected
firefox75 --- unaffected
firefox76 --- unaffected

People

(Reporter: jupenur, Assigned: petru)

References

(Regression)

Details

(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-esr68.7+])

Attachments

(4 files)

spoof.html
158 bytes, text/html
Details
Bug 1622278 - Ensure displayed URL in modified only in onLocationChange(); snorp
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr68+
tjr
: sec-approval+
Details | Review
Screenshot_20200313-135914_Firefox Beta.jpg
75.46 KB, image/jpeg
Details
advisory.txt
330 bytes, text/plain
Details
Attached file spoof.html

Custom tabs in Firefox for Android fail to update the URL correctly, allowing malicious websites to spoof other origins.

Steps to reproduce:

  1. Host the attached file (spoof.html) at the following URL: http://evil.example/spoof.html
  2. Open the following URL in Firefox for Android: intent://evil.example/spoof.html#Intent;package=org.mozilla.firefox;action=android.intent.action.VIEW;scheme=http;S.android.support.customtabs.extra.SESSION=;end;
  3. Observe how a custom tab opens, the URL changes to "https://google.com/", yet content is displayed from the "evil.example" host
Flags: sec-bounty?

Snorp, Stefan, can you take a look, please?

Group: firefox-core-security → mobile-core-security
Component: Security → General
Flags: needinfo?(snorp)
Flags: needinfo?(sarentz)
Product: Firefox → Firefox for Android

I see the issue. We get some progress callbacks, including onPageStart() from GeckoView. The load is then aborted, and we get onPageStop() with an "unsuccessful" value passed along. Unfortunately, Fennec changes the displayed URL in onPageStart()[1] and never changes it back after onPageStop(). We should only be changing the displayed URL in onLocationChange().

Petru, can you please remove the line that I linked to below?

[1] https://searchfox.org/mozilla-esr68/source/mobile/android/base/java/org/mozilla/gecko/customtabs/CustomTabsActivity.java#639

Flags: needinfo?(snorp) → needinfo?(petru.lingurar)

Sure, thanks James!

Flags: needinfo?(petru.lingurar)
Assignee: nobody → petru.lingurar

Comment on attachment 9133236 [details]
Bug 1622278 - Ensure displayed URL in modified only in onLocationChange(); snorp

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Security issue - url spoofing
  • User impact if declined: Url spoofing in custom tabs. Users may be tricked about the real website origin.
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Very small change
  • String or UUID changes made by this patch:
Attachment #9133236 - Flags: approval-mozilla-esr68?

Even if the URL is switched too early, why are we showing the lock if we haven't securely connected? (see screenshot) are we just parsing the scheme at that point?

Keywords: csectype-spoof, sec-high
Regressed by: customtabs_geckoview
Has Regression Range: --- → yes
Keywords: regression
Status: UNCONFIRMED → NEW
status-firefox74: --- → wontfix
status-firefox75: --- → affected
status-firefox76: --- → affected
status-firefox-esr68: --- → affected
tracking-firefox75: --- → +
tracking-firefox76: --- → +
tracking-firefox-esr68: --- → 75+
Ever confirmed: true

Comment on attachment 9133236 [details]
Bug 1622278 - Ensure displayed URL in modified only in onLocationChange(); snorp

Approved to land.

Attachment #9133236 - Flags: sec-approval+

Comment on attachment 9133236 [details]
Bug 1622278 - Ensure displayed URL in modified only in onLocationChange(); snorp

Fixes a sec bug. Approved for Fennec 68.7b1.

Flags: needinfo?(sarentz)
Attachment #9133236 - Flags: approval-mozilla-esr68? → approval-mozilla-esr68+

https://hg.mozilla.org/releases/mozilla-esr68/rev/f0d9af5e13b5

Group: mobile-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox-esr68: affectedfixed
Resolution: --- → FIXED

(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)

This is Fennec-only code which only exists on ESR68.

I believe that is incorrect: Snorp said in comment 2 it regressed from when Fennec switched to using shared GeckoView code for this in bug 1356346. ni? him or petru to check me on that, and to see if this has landed on trunk and should be left fixed, or reopened until that happens.

status-firefox74: unaffectedwontfix
status-firefox75: unaffectedaffected
status-firefox76: unaffectedaffected
tracking-firefox75: --- → +
tracking-firefox76: --- → +
Flags: needinfo?(snorp)
Flags: needinfo?(petru.lingurar)
Flags: sec-bounty? → sec-bounty+

(In reply to Daniel Veditz [:dveditz] from comment #12)

(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)

This is Fennec-only code which only exists on ESR68.

I believe that is incorrect: Snorp said in comment 2 it regressed from when Fennec switched to using shared GeckoView code for this in bug 1356346. ni? him or petru to check me on that, and to see if this has landed on trunk and should be left fixed, or reopened until that happens.

Right, the problem is in Fennec-only code which uses GeckoView, not in GV itself.

Flags: needinfo?(snorp)
Flags: needinfo?(petru.lingurar)
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-esr68.7+]
Attached file advisory.txt
Alias: CVE-2020-6827
Group: core-security-release
Product: Firefox for Android → Firefox for Android Graveyard
Type: task → defect
Keywords: reporter-external
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: