Closed Bug 1679377 Opened 4 years ago Closed 2 years ago

firefox crashes by opening a maps link, if Apple Maps app is deleted

Categories

(Firefox for iOS :: General, defect)

defect

Tracking

()

RESOLVED MOVED

People

(Reporter: man9our.ah, Unassigned)

Details

(Keywords: csectype-dos, sec-low)

Attachments

(2 files)

Attached video bugreport.MP4

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
Firefox for Android

Steps to reproduce:

If the client have firefox for iOS as a default web browser, a malicious website can simply opens (or redirect) to https://maps.apple.com/?address=1 which will trigger the bug. As a simple test Just visit this website https://gts3.org/~mansourah/testBug.html which contain:

<meta http-equiv="refresh" content="1; URL=https://maps.apple.com/?address=1" />

I am on the latest Firefox for iOS on the appstore (Firefox Daylight 29.2 3120) and iOS version 14.0.1. I am not sure if there are further settings that need to be set in order for this to be triggered.

Actual results:

It seems that firefox identify the url as a maps url correctly in
https://github.com/mozilla-mobile/firefox-ios/blob/bae2b929bd134cc0409e0fb578ff6d8e52dc5520/Client/Frontend/Browser/BrowserViewController/BrowserViewController%2BWebViewDelegates.swift#L386

but then when it passes the URL to UIApplication it will try to open it in Firefox, which will cause an infinite loop until Firefox eventually crashes.

I have attached a screen recorded video of what happens when you open a website that redirect to https://maps.apple.com/?address=1.

Expected results:

It seems to me that Firefox should have handled such infinite loop and not try to open a new tab or not pass the URL to UIApplication.

I just updated the iOS to the latest version (14.2), the bug is still triggered.

Group: firefox-core-security → mobile-core-security
Component: Untriaged → General
Product: Firefox → Firefox for iOS
Version: other → unspecified

I think I found one more thing need to be set for the bug to be triggered: The user must have deleted Apple Maps. Only then the UIApplication will keep calling Firefox with the same url and enter an infinite loop. Chrome does not seem to suffer from this.

Why would this affect Firefox for iOS and not Safari? I guess the apple maps site detects it's on iOS and tries to launch the app even if you're trying to use the browser? Seems like a classic loop where we send a request for an external handler to the OS, and the OS decides we're the correct handler for it and sends it back, ad infinitum.

Flags: needinfo?(sarentz)
Summary: firefox crashes by opening a new link → firefox crashes by opening a maps link, if Apple Maps app is deleted

Can we move this issue to GitHub? Adding Jeremy on this one.

Flags: needinfo?(sarentz)
Flags: needinfo?(jeevans)
Attached image bug 1679377.PNG

On Firefox for iOS v102 I can't reproduce this anymore. I do get the redirect to Apple Maps using <meta http-equiv="refresh" content="1; URL=https://maps.apple.com/?address=1" />, but there's now a prompt (as shown in attached screenshot) that blocks the infinite loop from happening. If I click "Cancel" nothing happens, if I click "Show in App Store" then we're just brought to the App Store.

Closing this issue and opened a Github ticket so we can harden this part of the code: https://github.com/mozilla-mobile/firefox-ios/issues/11342

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(jeevans)
Resolution: --- → MOVED

Indeed. This is resolved in new versions.

Does this bug have a cve id?

I think this was fixed in the OS and not by Firefox for iOS peeps. I'm not aware of CVE id for this

Group: mobile-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: