Open Bug 1670725 (urlbar-truncate-android) Opened 5 years ago Updated 15 hours ago

Truncate URL bar from the front, preserve the important parts of the domain

Categories

(Firefox for Android :: Toolbar, defect, P3)

Product:
Firefox for Android
Component:
Toolbar
Platform:
Unspecified
Android
Type:
defect

Tracking

()

People

(Reporter: kirtikumar.a.r, Unassigned)

References

(Depends on 1 open bug,
URL
)

Details

(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Assigned to:- Firefox
Assigned by:- Kirtikumar Anandrao Ramchandani
Assigned on:- 11/10/2020
Vulnerability Name:- Hostname not elided securely (URL Spoofing on Android browser).
Vulnerability Details:- The browser shown the first past instead of the hostname.
Platform:- Android
Application Version:-

  1. Firefox Browser 81.1.4
  2. Firefox Lite 2.5.2
  3. Firefox Browser Beta 82.0.0-beta.4
  4. Firefox Focus 8.8.1
  5. Firefox Nightly 201010 17:10
    Device:- Xiaomi Redmi Note 5 Pro (Android 9) (Build/PKQ1.180904.001)
    Video Proof of concept:- https://drive.google.com/file/d/1QOSJyQWM6DIVFgPXHHn1Nd9ynJ6WoMjz/view?usp=sharing
    Original PoC uploaded on:- https://kirtikumarar.com/Firefox_PoC.html
    The result observed:- http://wwww.manage-myaccount.paypal.com....
    Result Expected:- http://....bntk.pl

Steps to reproduce:-

  1. Load the Website or the attached testcase.
  2. Click on "Click here to go to Google.com"
  3. Go back to the parent tab and observe the URL in the address bar.
Flags: sec-bounty?
Group: firefox-core-security → mobile-core-security
Type: task → defect
Component: Security → Security: Android
Product: Firefox → Fenix

I don't see what the popup does here. It does not seem particularly important to this. This seems like a variant of https://github.com/mozilla-mobile/fenix/issues/6762 and that the parts of the domain that Firefox chooses to display could be improved.

See Also: → https://github.com/mozilla-mobile/fenix/issues/6762

This is a regression from Fennec - I'm pretty sure there much be a dupe (in addition to Chris's github issue)

Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: csectype-spoof, sec-moderate
See Also: → urlbar-truncate-desktop
Summary: URL Spoofing → truncate URL bar from the front, preserve the important parts of the domain

Petru, Can you investigate this one, and check if the github issue mentioned by kevin is related to this. Thanks!

The ideal solution here is for GV to fix bug 1685152 and then port the Fennec or Desktop URL parsing code to Fenix/AC.

Seems like the issue Kevin posted would indeed resolve this and was something that Sebastian & Kate wanted to tackle.
If they don't have cyles to work on this now I'll look into it.
Keeping a NI here to know to follow this.

Agi's newly opened ticket would probably help with this.
Thank you Kevin!
Adding him to this ticket also.

Flags: needinfo?(petru.lingurar)

Happy new year!
Opera has fixed the same issue in Opera Mini (Android). Here: https://twitter.com/Kirtikumar_A_R/status/1348569263548755971

See Also: → 1689192

Unfortunately this issue was already known to us (see the linked github issue) and is not eligible for a bug bounty.

Flags: sec-bounty? → sec-bounty-

This issue will atleast receive CVE, yes? Issue where it shows LTR instead of RTL. Thanks!

Flags: needinfo?(dveditz)

I don't know how advisories and CVEs are handled for Firefox Lite.

Can you add somebody in the CC who can assign a CVE?

Flags: needinfo?(dveditz)

Removing my NI while we wait for https://bugzilla.mozilla.org/show_bug.cgi?id=1685152

Flags: needinfo?(petru.lingurar)

GV would expose Gecko's URI API (bug 1685152) to Fenix frontend.

Severity: -- → S3
Depends on: 1685152
Priority: -- → P3
OS: Unspecified → Android
Component: Security: Android → Toolbar
Group: mobile-core-security
Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: urlbar-truncate-desktop
Resolution: --- → DUPLICATE
Status: UNCONFIRMED → NEW
Ever confirmed: true
Duplicate of this bug: 1813212
Duplicate of this bug: 1836598
Duplicate of this bug: 1860399
See Also: → 1629684
Duplicate of this bug: 1865924
Duplicate of this bug: 1874246
Priority: P3 → P2
Blocks: android-toolbar-phase-2-nightly
Summary: truncate URL bar from the front, preserve the important parts of the domain → Truncate URL bar from the front, preserve the important parts of the domain
Duplicate of this bug: 1909609
No longer duplicate of this bug: 1909609
Priority: P2 → P3

Group: mobile-core-security
Status: NEW → RESOLVED
Duplicate of bug: 1598175
Resolution: --- → DUPLICATE

Marking this bug as a private security bug again. Looks like the security flag was cleared when this bug was mistakenly resolved as a duplicate of a desktop address bar bug.

This bug will get fixed by Android's toolbar redesign project (phase 2).

Group: mobile-core-security
Duplicate of this bug: 1919920
Duplicate of this bug: 1925447
Duplicate of this bug: 1941526

Making public again because the Fenix GH issue is public and the https://long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com/ test site is a well-known demonstration of exactly this bug.

Group: mobile-core-security
Duplicate of this bug: 1959105
Alias: urlbar-truncate-android

Adding a note that the behaviour for how URLs will be displayed on Android will change after bug 1812898, with the domain being bolded and the entire URL scrolled to focus on the domain.

See Also: → 1812898
You need to log in before you can comment on or make changes to this bug.