Closed Bug 1708107 Opened 3 years ago Closed 3 years ago

URL Spoofing using http auth

Categories

(Firefox :: Address Bar, defect)

Product:
Firefox
Component:
Address Bar
Version:
Firefox 90
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 873810

People

(Reporter: pm.mahendra1, Unassigned)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-moderate)

Attachments

(2 files)

new.html
1.25 KB, text/html
Details
Screenshot_20210428_182959_org.mozilla.firefox.jpg
365.62 KB, image/jpeg
Details
Attached file new.html

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Firefox for Android

Steps to reproduce:

  1. Open this URL - http://designs.ndev.xyz/test/new.html or open the attach html file.
  2. Click on the 'Click here to Open Apple.com'.
  3. Wait for 1 second.

Actual results:

POC videos -
Mac -https://youtu.be/FHiHgvBIE1w
Android - https://youtu.be/SbQMQt86KKw

  1. The URL Has been Spoofed. The Url is https://apple.com on the address bar and auth popup is from techyfly.xyz. it means URL has been Spoofed.

  2. Http authentication is not giving any warning.

  3. Http authentication is so dangerous. It can spoof Username and password of a Victim. I explained in this issues https://bugzilla.mozilla.org/show_bug.cgi?id=1692268 and https://bugzilla.mozilla.org/show_bug.cgi?id=1704346

  4. On android it's Showing the saved actual username and password of apple.com

Expected results:

It should give the actual Url of Http authentication

UserAgent (Mac) - Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0

On both mac and android the HTTP Auth prompt clearly says https://techyfly.xyz is the site that's asking for the auth. We know we need to improve clarity here because cross-origin sub-resources (scripts or images, for instance) can trigger this prompt and people do get confused. This example is clever and takes advantage of the fact that we don't want to show the user a blank page while they are waiting for a navigationto a new site. We should re-think that: if we get a 401 response we could blank the old page (and update the addressbar) before displaying the prompt.

:dveditz thanks for you reply, I understand your point. but by seeing this, the prompt appear on the apple.com user can think techyfly.xyz is a part of apple. And can inster sensitive information into the prompt.

Did you notice on android device, my save password of apple.com is showing onto the prompt. I attached an screenshot. Please look into this.

I'm going to clone this into separate bugs. The Fenix password manager should NOT be suggesting passwords that don't match the source of the http auth.

Flags: needinfo?(dveditz)

(In reply to Daniel Veditz [:dveditz] from comment #4)

I'm going to clone this into separate bugs. The Fenix password manager should NOT be suggesting passwords that don't match the source of the http auth.

Did you created the clone of this bug or do you want me to create ?

And could you add the 'sec-bounty ?' Flag into this bug.

Flags: sec-bounty?
Component: Untriaged → Address Bar
OS: Unspecified → All
Hardware: Unspecified → All
Version: Firefox 88 → Firefox 90
Flags: needinfo?(dveditz)
Keywords: csectype-spoof, sec-moderate

Is there a separate bug for the android issue?

I'm pretty sure the desktop issue (which effectively devolves to "indicate the origin requesting auth in the address bar") is a duplicate of an existing bug which is probably public, probably bug 656343 (see also all its dupes...)

Flags: needinfo?(dveditz)

Looks like the android issue got filed as bug 1709257.

(In reply to :Gijs (he/him) from comment #6)

I'm pretty sure the desktop issue (which effectively devolves to "indicate the origin requesting auth in the address bar") is a duplicate of an existing bug which is probably public, probably bug 656343 (see also all its dupes...)

... either that or bug 873810, which is more directly related to what is happening here. I'll leave the needinfo for Dan so he can make a call.

See Also: → CVE-2021-29965

873810 seems the best match

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(dveditz)
Resolution: --- → DUPLICATE

I think I am the noob one here :/ , People has reported the same bug 8 year ago. I don't know why the bug is still open. why it not fixed yet ?
and why the bug is in public ?

Flags: sec-bounty? → sec-bounty-

:dveditz I have a request for you can you remove this bug 873810 from the public until it gets resolved.

The reason why asked you because

  1. The user gets confused about whether the auth popup is coming from the original site or not.
  2. There is no warning string or messages on the auth popup. whether the user should insert the credentials or not?
  3. I know the user will understand from the domain that appears on the popup. But what if the popup comes from an IP address?
Flags: needinfo?(dveditz)

That bug has been public for 8 years. There's no point in hiding it now.

Flags: needinfo?(dveditz)
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: