Closed Bug 1677285 Opened 4 years ago Closed 4 years ago

Blank Address Bar Spoof (also affect permission dialog)

Categories

(Fenix :: Toolbar, defect)

Product:
Fenix
Component:
Toolbar
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 1676311

People

(Reporter: sourc7, Unassigned)

Details

(Keywords: reporter-external)

Attachments

(4 files, 1 obsolete file)

spoof.html
8.38 KB, text/html
Details
Screenshot_20201114_141311.png
42.82 KB, image/png
Details
Screenshot_20201115_044023.jpg
78.99 KB, image/jpeg
Details
spoof-permission.html
2.34 KB, text/html
Details
Attached file spoof.html

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36

Steps to reproduce:

This bug is similar to Bug 1521708 that has been fixed on Firefox for Desktop. But it still works on Firefox for Android.

  1. Open attached file "spoof.html"
  2. Click "Sign in with Google" button

Actual results:

Address bar show "Search or enter address"

Expected results:

Address bar show "about:blank"

Furthermore when I added Geolocation API to the about:blank window page, the permission dialog is show as "Allow to use your location?" (hiding the origin URL).

I've rewritten the spoof.html with the intention of mimicking Google Maps web page (that usually request user current location), so when user click "View on Google Maps" it will render Google Maps on <iframe> at about:blank page. After a seconds, the Geolocation API asked permissions with prompt "Allow to use your location?" (hiding the origin URL).

As the origin URL is hidden, user will likely tap "Allow" as Google Maps webpage usually asked the permission to detect current location.

Attached file spoof-permission.html (obsolete) —
Attached file spoof-permission.html

Added title and ensure user to tap on permission dialog.

Attachment #9187871 - Attachment is obsolete: true
Summary: Blank Address Bar Spoof → Blank Address Bar Spoof (also affect permission dialog)

Previously I tested this works on Firefox for Android Nightly 201113 17:03 (Build #2015775439) (as reproduced on screenshot above)

Then after 5 days reporting this issue, I updated the Firefox to Android Nightly 201118 17:04 (Build #2015776395), I surprised the issue has been fixed (because Mozilla team usually discusses the fix on the reported ticket).

I confirm it still works on Firefox for Android 83.1.0 (Build #2015776403). So the fix is somewhere between Firefox for Android Nightly 201114 to 20118.

Flags: sec-bounty?

Fixed by 1676311

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
Flags: sec-bounty? → sec-bounty-
Group: mobile-core-security
Component: Security: Android → Toolbar
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: