Closed Bug 1693664 Opened 4 years ago Closed 4 years ago

Title of popups without location bar can fully be spoofed - title does not include the URL or extension name

Categories

(Firefox :: Tabbed Browser, defect)

Product:
Firefox
Component:
Tabbed Browser
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
88 Branch
Tracking Flags:
Tracking Status
firefox-esr78 87+ fixed
firefox86 --- wontfix
firefox87 + fixed
firefox88 + fixed

People

(Reporter: robwu, Assigned: robwu)

References

(Regression)

Details

(Keywords: csectype-spoof, regression, sec-moderate, Whiteboard: [adv-main87+][adv-esr78.9+])

Attachments

(2 files)

Bug 1693664 - Correctly run prefix logic in getWindowTitleForBrowser
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr78+
dveditz
: sec-approval+
Details | Review
advisory.txt
353 bytes, text/plain
Details

bug 1621328 moved Services.uriFixup.createExposableURI to Services.io.createExposableURI, but a consumer in tabbrowser.js at getWindowTitleForBrowser still references the old method: https://searchfox.org/mozilla-central/rev/e84baf5c730abd453be5d50dcb0aba1e743bac47/browser/base/content/tabbrowser.js#950

The relevant logic is wrapped in a try-catch that blindly ignores errors. The impact of this is that if a page can open a popup without location bar (e.g. extensions), then an extension can spoof the full popup title, and the user wouldn't know that the popup comes from an extension.

There is a unit test that is supposedly verifying that the extension name is in the title (toolkit/components/extensions/test/browser/browser_ext_windows_popup_title.js), but that doesn't work because of a bug in it (see two comments at https://bugzilla.mozilla.org/show_bug.cgi?id=1690611#c14).

So, to fix this bug, uriFixup should be replaced with io, and the unit test (browser_ext_windows_popup_title.js) should be fixed.

Assignee: nobody → rob
Status: NEW → ASSIGNED

Comment on attachment 9204070 [details]
Bug 1693664 - Correctly run prefix logic in getWindowTitleForBrowser

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Easy. But if concerning, the unit test can be added to a different patch that is already in development, see bug report.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?: esr78, all release
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: Patch includes unit test that passed locally. No further testing is needed.
Attachment #9204070 - Flags: sec-approval?

Comment on attachment 9204070 [details]
Bug 1693664 - Correctly run prefix logic in getWindowTitleForBrowser

I called this sec-moderate because it's limited to malicious extensions; technically doesn't need sec-approval now. Since I'm here: sec-approval+

Attachment #9204070 - Flags: sec-approval? → sec-approval+

https://hg.mozilla.org/mozilla-central/rev/d031e888c05e

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox88: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch

Please nominate this for Beta and ESR78 approval when you get a chance.

Flags: needinfo?(rob)

Comment on attachment 9204070 [details]
Bug 1693664 - Correctly run prefix logic in getWindowTitleForBrowser

Beta/Release Uplift Approval Request

  • User impact if declined: Scripts that can open popups without location bar (e.g. extensions) can fully spoof the title of the window.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Simple fix covered by unit tests.
  • String changes made/needed:

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Fixes a UI spoofing issue.
  • User impact if declined: Scripts that can open popups without location bar (e.g. extensions) can fully spoof the title of the window.
  • Fix Landed on Version: 88 pending uplift to 87
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Simple fix covered by unit tests.
  • String or UUID changes made by this patch:
Flags: needinfo?(rob)
Attachment #9204070 - Flags: approval-mozilla-esr78?
Attachment #9204070 - Flags: approval-mozilla-beta?

I'm linking bug 1296365 because it had a (partially working) unit test meant to detect this kind of bug. If the test was working as intended, then this regression wouldn't have happened because the test failure would prevent the patch for bug 1621328 from landing.

See Also: → 1296365

Comment on attachment 9204070 [details]
Bug 1693664 - Correctly run prefix logic in getWindowTitleForBrowser

Approved for 87.0b3 and 78.9esr.

Attachment #9204070 - Flags: approval-mozilla-esr78?
Attachment #9204070 - Flags: approval-mozilla-esr78+
Attachment #9204070 - Flags: approval-mozilla-beta?
Attachment #9204070 - Flags: approval-mozilla-beta+
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [adv-main87+]
Whiteboard: [adv-main87+] → [adv-main87+][adv-esr78.9+]
Attached file advisory.txt
Group: core-security-release
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: