Any websites can run with PWA privileges on Fenix
Categories
(Fenix :: General, defect)
Tracking
(firefox-esr78 wontfix, firefox82 wontfix, firefox83 fixed)
People
(Reporter: sdna.muneaki.nishimura, Assigned: sebastian)
References
Details
(Keywords: csectype-other, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main83+])
Attachments
(3 files, 2 obsolete files)
Fenix has a public interface that allows any apps to inject arbitrary PWA manifest for any origin.
That can be used for installing malicious PWAs on victim's device silently.
The installed PWA runs in fullscreen so spoofing address bar is possible by their contents.
Also through the malicious PWA's manifest, fake share_target
(tries to steal victim's shared contents) can be registered (below).
https://github.com/mozilla-mobile/android-components/blob/ba0d00e94b15bb5ad1383c726a66340b80d6fe14/components/concept/engine/src/main/java/mozilla/components/concept/engine/manifest/WebAppManifestParser.kt#L79
The root cause is that LauncherActivity
in Fenix is publicly accessible (below).
https://github.com/mozilla-mobile/fenix/blob/master/app/src/main/AndroidManifest.xml#L64
That activity receives MANIFEST_PATH key from incoming intent and store the specified manifest file to internal manifest database (below).
https://github.com/mozilla-mobile/fenix/blob/16b677693832d54c64f2ab1f67f0a881a704889d/app/src/main/java/org/mozilla/fenix/customtabs/FennecWebAppIntentProcessor.kt#L93
Here is the demo.
- Save attached
dummy_manifest.json
file to your PC and send it to the connected Android device through ADB.
adb push dummy_manifest.json /data/local/tmp/dummy_manifest.json
- Inject the manifest for example.com via
org.mozilla.gecko.WEBAPP
intent.
adb shell am start -a org.mozilla.gecko.WEBAPP -d 'https://example.com/' -n org.mozilla.fenix/org.mozilla.gecko.LauncherActivity --es MANIFEST_PATH /data/local/tmp/dummy_manifest.json
-
Then, example.com is shown in fullscreen (without address bar). That means PWA for example.com is injected.
-
Once inject the PWA, you can invoke through
mozilla.components.feature.pwa.VIEW_PWA
intent. Then, it runs again in fullsreen.
adb shell am start -a mozilla.components.feature.pwa.VIEW_PWA -d 'https://example.com/'
- If you choose
Delete browsing data
fromSetting
menu, injected PWA can not be cleared.
You need to remove all storage data of Fenix or re-install.
Reporter | ||
Comment 1•5 years ago
|
||
Updated•5 years ago
|
Comment 2•5 years ago
|
||
Sebastian, are you the right person to look at this and bug 1657055 ? They look pretty serious.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 3•5 years ago
|
||
I can take a look and if necessary find someone on the team to continue.
Comment 4•5 years ago
|
||
sec-moderate, I think this requires a "bad app", right?
Reporter | ||
Comment 5•5 years ago
|
||
Yes, bad app is required so I agree with you!
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 6•5 years ago
|
||
Assigning this to Tiger who has agreed to take a look at this.
Comment 7•5 years ago
|
||
I've got a PR ready in Fenix to validate the manifest location inside the app files before reading it. Is something like "validates manifest folder" obscure enough for a Fenix bug/PR title?
Comment 8•5 years ago
•
|
||
Is something like "validates manifest folder" obscure enough for a Fenix bug/PR title?
Yup that sounds fine. Thank you for picking this up to quickly.
Comment 9•5 years ago
|
||
Assignee | ||
Updated•4 years ago
|
Comment 10•4 years ago
|
||
Stefan, is Tiger still working on it? If not, can you please reassign. Thanks!
Comment 11•4 years ago
|
||
Looks like this was merged in August https://github.com/mozilla-mobile/fenix/pull/13358
Comment 12•4 years ago
|
||
What version of Fenix did (will?) this ship in? We will need an advisory for it.
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Comment 13•4 years ago
|
||
Sebastian would you have a look? I was not able to see any behavior difference between 80.x and Nightly 83. Using the steps in comment 0 crashes with the display already required. If I kill the app between the two adb shell
commands then it works.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 14•4 years ago
|
||
In 80 I see us pick up the manifest and save it to disk for later and using the values from the manifest. In 83 the manifest gets rejected (since it is not in the expected location) and we launch in a "custom tab fallback mode" just loading the URL. So this looks good and as intended.
Along the way I found a possible crash (I used some invalid manifest) and opened a PR to catch parsing errors.
Using the steps in comment 0 crashes with the display already required.
I didn't run into this one. Maybe we can look at this outside of this bug. If we can extract some STRs for the "display already acquired" bug then this would be helpful for something else. :)
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Comment 15•4 years ago
|
||
Comment 16•4 years ago
|
||
Comment 17•4 years ago
|
||
Updated•4 years ago
|
Updated•4 years ago
|
Updated•3 years ago
|
Updated•2 years ago
|
Updated•8 months ago
|
Description
•