Closed Bug 1686501 Opened 4 years ago Closed 4 years ago

Insecure Algorithm

Categories

(Firefox for Android :: General, defect)

Product:
Firefox for Android
Component:
General
Platform:
Unspecified
Android
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: sm.asim, Unassigned)

Details

Attachments

(1 file)

FennecLoginsMigration.java
30.85 KB, text/x-java
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36

Steps to reproduce:

Dear Team,

I have found some security issue in your mobile application Firefox.

Here is app version details of firefox.

App details
Firefox
App version
84.1.4
App ID
org.mozilla.firefox
Device type
Android

Description:

Weak or badly implemented encryption algorithms can endanger data storage and transmission used by the mobile application.

Details:
There is 'DESede/CBC/NoPadding' found in file 'mozilla/components/support/migration/FennecLoginsMigration.java':

line 198: SecretKey generateSecret = SecretKeyFactory.getInstance("DESede").generateSecret(new DESedeKeySpec(bArr));

line 199: Cipher instance = Cipher.getInstance("DESede/CBC/NoPadding");

line 200: instance.init(2, generateSecret, new IvParameterSpec(bArr2));

CVSSv3 Base Score:
5.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

Reference:
https://developer.android.com/reference/javax/crypto/Cipher.html
http://find-sec-bugs.github.io/bugs.htm

Steps-

Download Apk file of firefox version that given below .
Decompile APK file to java through website http://www.javadecompilers.com/
Where I found the java file DESede/CBC/NoPadding with insecure algorithm
Direct Link- File is attached and you can trace this as below
File Path : mozilla\components\support\migration\FennecLoginsMigration.java

Actual results:

Example of insecure code:Cipher c = Cipher.getInstance("AES/ECB/NoPadding");
c.init(Cipher.ENCRYPT_MODE, k, iv);
byte[] cipherText = c.doFinal(plainText);

Example of secure code:Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
c.init(Cipher.ENCRYPT_MODE, k, iv);
byte[] cipherText = c.doFinal(plainText);

Expected results:

Use strong encryption algorithm such as AES.

We are migrating a legacy file. This code is used to read specific data from an known source inside the Firefox profile area which is owned by the app and difficult to impossible for a malicious actor to interact with.

Sebastian I assume this is wontfix.

Flags: needinfo?(s.kaspari)

(In reply to Kevin Brosnan [:kbrosnan] from comment #1)

We are migrating a legacy file. This code is used to read specific data from an known source inside the Firefox profile area which is owned by the app and difficult to impossible for a malicious actor to interact with.

Yeah, agree, that's the code that is reading the old Fennec database for migration. We will have to keep that code around until we are ready to not migrate anymore.

So far we haven't picked up any of the tasks that clean up those files. By now the migration has been successful enough so that we could starting to at least get rid of those old files on disk. But that is unrelated to this bug.

Flagging Grisha additionally.

Flags: needinfo?(s.kaspari) → needinfo?(gkruglov)

Yup, this is our migration code for the logins database. Parts of that database are encrypted using TDES, hence the code in FennecLoginsMigration.kt to decrypt this data. No security concern here, just something we'll need to cleanup once we're ready to remove the migration code.

Flags: needinfo?(gkruglov)
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
Group: mobile-core-security
Component: Security: Android → General
OS: Unspecified → Android
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: