Closed Bug 1637885 Opened 5 years ago Closed 5 years ago

Security UI spoofing ( spoofing navigation handler protocol + address bar url )

Categories

(Firefox :: Security, task)

Product:
Firefox
Component:
Security
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1636654

People

(Reporter: vijay.tikudave, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

spoof.html
449 bytes, text/html
Details
Attached file spoof.html

VULNERABILITY DETAILS

One click user interaction:

Summary:
Navigation to protocol handler URL from the page opened using window.open is considered as a request from the opened page.

Example:

  1. The page opens google.com
  2. The page changes opened window's location to ssh://evil.com
  3. Request to open ssh://evil.com but address bar URL displayed at google.com

VERSION
Firefox 76.0.1 (64-bit)

REPRODUCTION CASE
POC code attached & screenshot as well

IMPACT:
An attacker could trick a user to open malicious protocol handler when address bar referring trusted site.

Flags: sec-bounty?
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE

As this is a duplicate of a known issue, it does not qualify for a bounty.

Flags: sec-bounty? → sec-bounty-
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: