Closed Bug 1685067 Opened 4 years ago Closed 3 years ago

Firefox for IOS crashes via multiple scenarios affecting address bar.

Categories

(Firefox for iOS :: General, defect)

Product:
Firefox for iOS
Component:
General
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: 7rp, Unassigned)

References

Details

(Keywords: csectype-dos, reporter-external, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

As was mentioned in 1684667, filling separate report.
Description:
If victim paste long-crafted link in address bar, or follows it in address bar history Firefox will crash.
Steps to reproduce:

  1. Generate payload with python3:
    python3 -c "print('https://google.com/' + 'A' * 1000000)"
  2. Paste this string in address bar - immediate crash. Note, that link content can be copied via js on malicious page.
  3. Follow this link in address bar history - immediate crash. Note that link will be shortened in UI, so user can follow it accidentally.
  4. Enable "Offer to Open Copied Links", than follow this link on startup. Delayed crash after some time (when you will click on address bar several times to "unfreeze it" during the loading). Note, that link will be shortened, and victim will not realize that it can crash browser.

Tested on:
Firefox Daylight (30.0, 3279), IPhone 6, latest IOS (12.5). Can't check on another IOS/devices/editions now.

Impact:
Accessibility and stability is affected. User will lost info in open tabs when experienced that crash. It can also be an indicator of more serious bugs, like overflows, it's hard to trace on IOS.

Flags: sec-bounty?
See Also: → 1684667

First scenario ("Paste this string in address bar") also affects Firefox Focus. Should I fill separate report?

Group: firefox-core-security → mobile-core-security
Type: task → defect
Component: Security → General
Product: Firefox → Firefox for iOS

(In reply to 7rp@protonmail.com from comment #1)

First scenario ("Paste this string in address bar") also affects Firefox Focus. Should I fill separate report?

I don't know. Stefan?

Flags: needinfo?(sarentz)
Flags: sec-bounty? → sec-bounty-

I verified this bug on Focus 40.0 and Firefox 40.2 and I was not able to reproduce this crash. There is a considerable delay when pasting an URL with a million characters in it, but it works and both apps responded with a proper error page.

iPhone X running iOS 15.0 (Which is old but I have no reason to believe this regressed in 15.2)

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(sarentz)
Resolution: --- → WONTFIX
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: WONTFIX → ---
Status: REOPENED → RESOLVED
Closed: 3 years ago3 years ago
Resolution: --- → WORKSFORME
Group: mobile-core-security
You need to log in before you can comment on or make changes to this bug.