Bypassing http auth spoofing warning prompt when there's a cached redirect
Categories
(Core :: Networking, defect, P2)
Tracking
()
People
(Reporter: vijay.tikudave, Assigned: kershaw)
References
()
Details
(Keywords: csectype-spoof, reporter-external, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?][necko-triaged][post-critsmash-triage][adv-main86+])
Attachments
(2 files)
As firefox browser nightly have open redirect prevention whereby the warning prompt will be shown to user in case of malicious attempt of making redirect with help of "@" eg. if you open www.facebook.com@go.com
It will show warning prompt to prevent any spoofing.
However this could be bypass with emoji.
eg. if user click on below url , it won't be prompted for redirect warning & adversary could use the bug to exploit issue.
https://www.facebook.com@☺️.com
it will redirect to adversary page without any redirect prompt
Comment 1•4 years ago
•
|
||
This appears to work correctly on desktop nightly (though you get a certificate warning first with the https link from comment #0 that you need to click through before you get the other warning, if you modify the link to http://
then you get the warning immediately). Based on the original summary, I assume the intent was to report an issue with Fenix / Firefox for Android.
Reporter | ||
Comment 2•4 years ago
|
||
Yes, It is intended for Firefox android Fenix. is it accepted yet for progress?
Comment 3•4 years ago
|
||
(In reply to Vijay Tikudave from comment #2)
Yes, It is intended for Firefox android Fenix. is it accepted yet for progress?
Most folks here are on break for the end of year, so it may be until January until someone responds. Any updates will appear on this bug.
Comment 4•4 years ago
|
||
Amedyne is there someone who you would recommend to look at this?
Comment 5•4 years ago
|
||
I got the warning the first time I tried this, but not after that. I see a similar behavior on Desktop: once the redirect from xn--74h.com to frueh.net is cached I no longer get the phishing warning. When I try the testcase with DevTools open (which disables the cache by default) I always get the warning, but with normal caching I don't.
This doesn't seem to have anything to do with the emoji, but with whether there is a redirect and whether that redirect is cached. You can reproduce this behavior with non-emoji domains like:
https://foo@www.gmail.com/
http://foo@cnn.com/
The fact that the redirect is cached means the user has been there before, but that doesn't negate this as an attack. For example in the CNN case above it's quite likely that if the user has gone to CNN at all they probably just typed it in to the addressbar without the 'www' and thus would have the redirect cached. Of course CNN isn't a phishing site, but maybe an attacker could load the phishing site in a hidden iframe to prime the redirect first, and then show the phishing link to the user.
Since this warning is generated in Necko (other than the display) common behavior makes sense, and this should be moved to Networking.
Updated•4 years ago
|
Assignee | ||
Comment 7•4 years ago
|
||
Apparently, nsHttpChannelAuthProvider::CheckForSuperfluousAuth
is only called when the http response is from network. To fix this bug, we need to also call nsHttpChannelAuthProvider::CheckForSuperfluousAuth
for cache path.
Assignee | ||
Comment 8•4 years ago
|
||
![]() |
||
Comment 9•4 years ago
|
||
![]() |
||
Comment 10•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/3d26a1f3b809522af0152918341a4b5ff924e4bb
https://hg.mozilla.org/mozilla-central/rev/3d26a1f3b809
Reporter | ||
Comment 11•4 years ago
|
||
Hi,
is it eligible for bounty?
Updated•4 years ago
|
Comment 12•4 years ago
|
||
The sec-bounty flag has been set on this bug. It will be reviewed when the security group meets.
Updated•4 years ago
|
Updated•4 years ago
|
Comment 13•4 years ago
|
||
I've managed to confirm this fix on macOS 10.14, Ubuntu 18.04 x64 and Windows 10 x64, by following this steps:
- Open http://foo@example.com
- Expect to see the warning prompt
- Open http://foo@example.com again. This time the response is from the cache.
- The warning prompt should be shown again.
I've tested the bug on Beta 86.0b5. Thanks Kershaw, for helping me to verify this.
Reporter | ||
Comment 14•4 years ago
|
||
Hi,
is it eligible for CVE-ID alias?
Updated•4 years ago
|
Comment 15•4 years ago
|
||
Updated•4 years ago
|
Updated•3 years ago
|
Updated•8 months ago
|
Description
•