Closed Bug 1628288 (CVE-2020-12394) Opened 11 months ago Closed 11 months ago

Location bar site information is misleading when selecting Top Site with keyboard and then cancelling

Categories

(Firefox :: Address Bar, defect, P1)

75 Branch
defect

Tracking

()

VERIFIED FIXED
Firefox 77
Iteration:
77.1 - Apr 6 - Apr 19
Tracking Status
firefox-esr68 --- unaffected
firefox74 --- unaffected
firefox75 --- wontfix
firefox76 --- verified
firefox77 --- verified

People

(Reporter: ke5trel, Assigned: mak)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, sec-low, Whiteboard: [adv-main76+])

Attachments

(3 files)

STR:

  1. Go to https://mozilla.org.
  2. Focus location bar.
  3. Use arrow keys to highlight reddit.com top site.
  4. Press escape key or click elsewhere without selecting.

Expected:

The location bar shows the current site or does not show site information icons.

Actual:

The highlighted reddit.com URL persists as if it is the current site with the padlock and site permissions of mozilla.org, making it visually indistinguishable from being on the site itself.

This could be exploited by someone with physical access to a computer to do phishing attacks.

Is not this how things always worked?

Select a url from the dropdown, then focus content. You can do the same in Chrome and most browsers.

If you change the URL any other way, the site information icons (padlock, shield and permissions) are hidden and replaced with a magnifying glass which persists when the location bar loses focus. This makes it clear that it is in a modified state and does not represent the current site. Chrome also hides the padlock icon if the URL has been modified.

That's a fair point, selecting Top Sites doesn't invalidate pageproxystate

Priority: -- → P1
Blocks: 1630275
Assignee: nobody → mak
Status: NEW → ASSIGNED
Iteration: --- → 77.1 - Apr 6 - Apr 19
Attached file Bug 1628288. r=adw
Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 11 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 77

Comment on attachment 9141020 [details]
Bug 1628288. r=adw

Beta/Release Uplift Approval Request

  • User impact if declined: When using Top Sites from the urlbar, sometimes we may be showing confusing security information that refer to a different origin
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: Load a secure page like https://www.mozilla.org/
    Click on the urlbar, so that Top Sites appear
    Move through Top Sites with the keyboard
    Check that there's no shield/Lock when doing that
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): It's a very simple code change hiding the security indicators when the urlbar value is set by selecting a result, the risk should be minimal.
  • String changes made/needed:
Attachment #9141020 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Comment on attachment 9141020 [details]
Bug 1628288. r=adw

Fixes a minor sec issue with the new megabar design. Approved for 76.0b6.

Attachment #9141020 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Why did we land tests before making it to release?

Flags: needinfo?(mak)

I'm sorry, it's my fault, I thought the rule was for sec-approval (thus excluded sec-low).
In this case I don't think the test clarifies much of the issue it's mostly checking for an obscure attribute.
What do you think we should do now?

Flags: needinfo?(mak) → needinfo?(fbraun)

(In reply to Marco Bonardo [:mak] from comment #10)

What do you think we should do now?

There's little we can do for this bug. Please keep it in mind for future work.

Flags: needinfo?(fbraun)
QA Whiteboard: [qa-triaged]

Verified as fixed:

[Tested with:]
  Beta 76.0b7 (64-bit)
  Nightly 77.0a1 (2020-04-21)
[Tested on:]
  verified fixed - Windows 10
  verified fixed - Ubuntu 18.04
  verified fixed - Mac 10.13.6
Status: RESOLVED → VERIFIED
QA Whiteboard: [qa-triaged]
Flags: qe-verify+
Whiteboard: [adv-main76+]
Attached file advisory.txt

Kestrel, if I understand it correctly, this is your first security report to Mozilla. Congratulations, you're going to be mentioned in our security advisories next week! Please let us know ASAP if you want to be credited differently than what we have in our draft right now (see advisory.txt attachment).

Flags: needinfo?(ke5trel)
Alias: CVE-2020-12394
Flags: needinfo?(ke5trel)
Group: core-security-release
Regressed by: urlbar-update-1
You need to log in before you can comment on or make changes to this bug.