1670127 - (CVE-2021-29958) File download request in Firefox iOS shares private browsing mode cookie

Status: RESOLVED FIXED

(Firefox for iOS :: General, defect)

Description

[Muneaki Nishimura]

Attachment: fxios_private_bypass_by_download.mp4

Similar to Bug 1663261 in Fenix, Firefox iOS also shares private mode cookie with normal browsing context.

When user taps download link, actual file download request is sent from Swift side HTTP client (below).
https://github.com/mozilla-mobile/firefox-ios/blob/1aa4bb892c60ff346df0eab30691578282947618/Client/Frontend/Browser/DownloadQueue.swift#L58
But this client doesn't check whether the requested browsing context was private mode or not.

Steps to reproduce the issue is below:

1. Visit http://csrf.jp/2020/dl_fxios in private browsing mode
2. Tap set_cookie.php link, then a tracking cookie id is set
3. Visit http://csrf.jp/2020/dl_fxios again in normal browsing mode
4. Tap get_cookie.php link, then the recorded cookie id in step 2 is shown in the downloaded contents

Comment 1

[Johann Hofmann [:johannh]]

Jeremy, Phonebook tells me you're in charge of Firefox for iOS. Can you find someone to handle this? Thanks!

Comment 2

[Jeremy Evans]

(In reply to Johann Hofmann [:johannh] from comment #1)

Jeremy, Phonebook tells me you're in charge of Firefox for iOS. Can you find someone to handle this? Thanks!

On my radar, I'll see what we can find out

Comment 3

[Muneaki Nishimura]

Do you have a plan to fix this vulnerability?
If not, please disclose this ticket because other browsers who use FxiOS can take action by themselves based on this information.

Comment 4

[Daniel Veditz [:dveditz]]

[Moving needinfo to dbolter since Garvan left.]

Muneaki: Mozilla is officially closed until January 4 so you won't get an answer until then at the earliest.

Comment 5

[Jeff Boek [:boek]]

Pulling this into our next sprint.
https://github.com/mozilla-mobile/firefox-ios/issues/8324

Comment 6

[Daniela Arcese [:daniela]]

Attachment: advisory.txt