Closed Bug 1622278 (CVE-2020-6827) Opened 1 year ago Closed 1 year ago

Firefox for Android custom tabs URL spoofing

Categories

(Firefox for Android Graveyard :: General, task)

task
Not set
normal

Tracking

(firefox-esr6875+ fixed, firefox73 unaffected, firefox74 unaffected, firefox75 unaffected, firefox76 unaffected)

RESOLVED FIXED
Tracking Status
firefox-esr68 75+ fixed
firefox73 --- unaffected
firefox74 --- unaffected
firefox75 --- unaffected
firefox76 --- unaffected

People

(Reporter: jupenur, Assigned: petru)

References

(Regression)

Details

(Keywords: csectype-spoof, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-esr68.7+])

Attachments

(4 files)

Attached file spoof.html

Custom tabs in Firefox for Android fail to update the URL correctly, allowing malicious websites to spoof other origins.

Steps to reproduce:

  1. Host the attached file (spoof.html) at the following URL: http://evil.example/spoof.html
  2. Open the following URL in Firefox for Android: intent://evil.example/spoof.html#Intent;package=org.mozilla.firefox;action=android.intent.action.VIEW;scheme=http;S.android.support.customtabs.extra.SESSION=;end;
  3. Observe how a custom tab opens, the URL changes to "https://google.com/", yet content is displayed from the "evil.example" host
Flags: sec-bounty?

Snorp, Stefan, can you take a look, please?

Group: firefox-core-security → mobile-core-security
Component: Security → General
Flags: needinfo?(snorp)
Flags: needinfo?(sarentz)
Product: Firefox → Firefox for Android

I see the issue. We get some progress callbacks, including onPageStart() from GeckoView. The load is then aborted, and we get onPageStop() with an "unsuccessful" value passed along. Unfortunately, Fennec changes the displayed URL in onPageStart()[1] and never changes it back after onPageStop(). We should only be changing the displayed URL in onLocationChange().

Petru, can you please remove the line that I linked to below?

[1] https://searchfox.org/mozilla-esr68/source/mobile/android/base/java/org/mozilla/gecko/customtabs/CustomTabsActivity.java#639

Flags: needinfo?(snorp) → needinfo?(petru.lingurar)

Sure, thanks James!

Flags: needinfo?(petru.lingurar)
Assignee: nobody → petru.lingurar

Comment on attachment 9133236 [details]
Bug 1622278 - Ensure displayed URL in modified only in onLocationChange(); snorp

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Security issue - url spoofing
  • User impact if declined: Url spoofing in custom tabs. Users may be tricked about the real website origin.
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Very small change
  • String or UUID changes made by this patch:
Attachment #9133236 - Flags: approval-mozilla-esr68?

Even if the URL is switched too early, why are we showing the lock if we haven't securely connected? (see screenshot) are we just parsing the scheme at that point?

Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment on attachment 9133236 [details]
Bug 1622278 - Ensure displayed URL in modified only in onLocationChange(); snorp

Approved to land.

Attachment #9133236 - Flags: sec-approval+

Comment on attachment 9133236 [details]
Bug 1622278 - Ensure displayed URL in modified only in onLocationChange(); snorp

Fixes a sec bug. Approved for Fennec 68.7b1.

Flags: needinfo?(sarentz)
Attachment #9133236 - Flags: approval-mozilla-esr68? → approval-mozilla-esr68+
Group: mobile-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED

(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)

This is Fennec-only code which only exists on ESR68.

I believe that is incorrect: Snorp said in comment 2 it regressed from when Fennec switched to using shared GeckoView code for this in bug 1356346. ni? him or petru to check me on that, and to see if this has landed on trunk and should be left fixed, or reopened until that happens.

Flags: needinfo?(snorp)
Flags: needinfo?(petru.lingurar)
Flags: sec-bounty? → sec-bounty+

(In reply to Daniel Veditz [:dveditz] from comment #12)

(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)

This is Fennec-only code which only exists on ESR68.

I believe that is incorrect: Snorp said in comment 2 it regressed from when Fennec switched to using shared GeckoView code for this in bug 1356346. ni? him or petru to check me on that, and to see if this has landed on trunk and should be left fixed, or reopened until that happens.

Right, the problem is in Fennec-only code which uses GeckoView, not in GV itself.

Flags: needinfo?(snorp)
Flags: needinfo?(petru.lingurar)
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-esr68.7+]
Alias: CVE-2020-6827
Group: core-security-release
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.