Closed Bug 1670127 (CVE-2021-29958) Opened 4 years ago Closed 3 years ago

File download request in Firefox iOS shares private browsing mode cookie

Categories

(Firefox for iOS :: General, defect)

defect

Tracking

()

RESOLVED FIXED
Tracking Status
fxios 34 ---

People

(Reporter: sdna.muneaki.nishimura, Unassigned)

References

()

Details

(Keywords: sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(2 files)

Similar to Bug 1663261 in Fenix, Firefox iOS also shares private mode cookie with normal browsing context.

When user taps download link, actual file download request is sent from Swift side HTTP client (below).
https://github.com/mozilla-mobile/firefox-ios/blob/1aa4bb892c60ff346df0eab30691578282947618/Client/Frontend/Browser/DownloadQueue.swift#L58
But this client doesn't check whether the requested browsing context was private mode or not.

Steps to reproduce the issue is below:

  1. Visit http://csrf.jp/2020/dl_fxios in private browsing mode
  2. Tap set_cookie.php link, then a tracking cookie id is set
  3. Visit http://csrf.jp/2020/dl_fxios again in normal browsing mode
  4. Tap get_cookie.php link, then the recorded cookie id in step 2 is shown in the downloaded contents
Flags: sec-bounty?
Group: firefox-core-security → mobile-core-security
Component: Security → General
Product: Firefox → Firefox for iOS
Type: task → defect

Jeremy, Phonebook tells me you're in charge of Firefox for iOS. Can you find someone to handle this? Thanks!

Flags: needinfo?(jeevans)

(In reply to Johann Hofmann [:johannh] from comment #1)

Jeremy, Phonebook tells me you're in charge of Firefox for iOS. Can you find someone to handle this? Thanks!

On my radar, I'll see what we can find out

Flags: needinfo?(jeevans)

Do you have a plan to fix this vulnerability?
If not, please disclose this ticket because other browsers who use FxiOS can take action by themselves based on this information.

Flags: needinfo?(garvankeeley+github)
Flags: needinfo?(dveditz)

[Moving needinfo to dbolter since Garvan left.]

Muneaki: Mozilla is officially closed until January 4 so you won't get an answer until then at the earliest.

Flags: needinfo?(garvankeeley+github)
Flags: needinfo?(dveditz)
Flags: needinfo?(dbolter)
Flags: needinfo?(jeevans)
Flags: needinfo?(jboek)
Flags: needinfo?(dbolter)
Flags: needinfo?(jeevans)
Flags: needinfo?(jboek)
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Group: mobile-core-security → core-security-release
Flags: sec-bounty? → sec-bounty+
Alias: CVE-2021-29958
Attached file advisory.txt
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: