Opening URL from external app bypasses Firefox Focus fingerprint.
Categories
(Focus :: General, defect, P3)
Tracking
(Not tracked)
People
(Reporter: superriku11, Unassigned)
Details
(Keywords: reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
When leaving a session open in Firefox Focus, with "Use fingerprint to unlock app" enabled, the fingerprint prompt can be bypassed by passing a URL to Firefox Focus from an external app.
It should be noted that some methods of passing a URL to Focus result in a "open link in new session" option in the fingerprint prompt. This would appear to indicate there's specific handling for external calls that would result in a new session or tab during an already active session. This can be demonstrated by "sharing" a link to Focus from another browser, such as Firefox or Chrome (tested both), which results in the aforementioned prompt. Opening URLs from apps (e.g. Gmail) that open an in-app Custom Tab ("powered by Firefox Focus" appears in menu for Custom Tab instances) also does not reveal session data.
Opening a URL from other apps that do not use an in-app Custom Tab, and also not via a "share" context menu, result in the fingerprint prompt being bypassed and the URL opened as an additional tab in the current session. This would appear to be a bug in the handling of external calls in direct URL cases.
This bug is easily reproducible. Expectation and steps-to-reproduce described below.
Expected:
Fingerprint security should prevent revealing an active session, or details thereof, regardless of method of launching Firefox Focus.
Actual:
Fingerprint prompt is bypassed and active session is fully exposed by opening a URL from an external app.
Steps to reproduce:
- Ensure "Use fingerprint to unlock app" is enabled.
- Load any site in Firefox Focus.
- Exit Firefox Focus. At this point, if you re-enter Firefox Focus through any direct means (app launcher, app switcher), you are prompted for fingerprint to access the current session.
- Open a URL in Firefox Focus from another app. The other app must open the URL in the browser, rather than using the "Custom Tabs" feature of Android. It also must not come from a "share" context menu. An example of what qualifies, is any URL action that asks which browser app you would like to open with, if you do not have a default set.
- Click the tab switcher. You can now see any open tabs from the active session, and access them directly. Fingerprint security has been fully bypassed.
Video for demonstration: https://www.youtube.com/watch?v=b68cgUwLLZk
Device details:
SM-G975U1 (Samsung Galaxy S10+, unlocked direct-from-Samsung ("open market") edition)
Android 10 (Samsung One UI 2.5)
Android Security Patch Level: October 1, 2020
Firefox Focus version: 8.8.3 (Build #342872056 Gecko 81.0.2-20201012085804)
All device system software and apps are current release versions as of 2020-10-28.
Please note: I did not intend to file this under Firefox, but there didn't appear to be a way to file a security issue for Firefox Focus.
Updated•4 years ago
|
Comment 2•4 years ago
|
||
Stefan: who works on Focus these days? Can you please make sure they get this bug.
Updated•3 years ago
|
Updated•2 years ago
|
Comment 4•2 years ago
|
||
This should already be fixed in Focus.
Updated•2 years ago
|
Comment 7•2 years ago
|
||
This works for me using 107.2.0 and confirms Mihai's comment #4 from a few months ago.
Comment 8•2 years ago
|
||
Since this is a bug bounty submission can we do better than "WORKSFORME"? Was there an intentional change in Focus to fix this?
Comment 9•2 years ago
|
||
I have no idea what fixed this. Maybe the UI rewrite? I could look at it in January when I am back from PTO though Mihai or SV QA could test the steps using the release builds. I doubt we can get to a specific checkin given we don't have MozRegression for Focus.
Comment 10•2 years ago
|
||
The entire Lock functionality has been rewritten, including the app naviagtion, while also switching to biometric auth.
You cannot currently open an external link (shared by another app) or from the widget without unlocking the app.
Comment 11•2 years ago
|
||
This was fixed in the same re-write that fixed bug 1613941
Updated•2 years ago
|
Updated•2 years ago
|
Updated•5 months ago
|
Description
•