Fenix password manager is fooled by origin of http auth prompt, suggests passwords for the completely wrong site
Categories
(Fenix :: General, defect)
Tracking
(firefox88 wontfix, firefox89+ fixed, firefox90+ fixed)
People
(Reporter: pm.mahendra1, Assigned: sebastian)
References
(Depends on 1 open bug)
Details
(Keywords: csectype-disclosure, csectype-spoof, sec-high, Whiteboard: [adv-main89+])
Attachments
(3 files, 1 obsolete file)
|
365.62 KB,
image/jpeg
|
Details | |
|
11.61 KB,
patch
|
csadilek
:
review+
tjr
:
sec-approval+
|
Details | Diff | Splinter Review |
|
391 bytes,
text/plain
|
Details |
Screenshot_20210428_182959_org.mozilla.firefox.jpg
+++ This bug was initially created as a clone of Bug #1708107 +++
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Firefox for Android
Steps to reproduce:
- Open this URL - http://designs.ndev.xyz/test/new.html
- Click on the 'Click here to Open Apple.com'.
- Wait for 1 second.
Actual results:
POC videos -
Android - https://youtu.be/SbQMQt86KKw
As you can see in the screenshot the http auth is suggesting the password of apple.com
Expected results:
The Fenix password manager should NOT be suggesting passwords that don't match the source of the http auth.
|
Reporter | |
Comment 1•3 years ago
|
||
Here I want to ask a question These password in the screenshot is saved on my google chrome Browser not in Firefox. but it is suggesting me on Firefox? if I click on the "manage password" it open the google chrome app and redirect me to the password manager.
Is this a bug of google or Firefox ?
|
||
Comment 2•3 years ago
|
||
This seems specific to Android. Stefan, can your team take a look at this? Thanks!
|
||
Comment 3•3 years ago
|
||
This looks to me like an extension/consequence of bug 1708107 -- we've spoofed our own password manager!
Note: we intentionally suggest passwords for sibling domains because that comes up a lot in large sites (e.g. sites where the password is saved for registration.veditz.example and then used on www.veditz.example). THIS IS NOT THAT. We're suggesting passwords based on the URL of the topmost tab while the auth comes from a different tab entirely.
Are we equally wrong if the auth prompt comes from a cross-origin frame?
|
|
||
Comment 4•3 years ago
|
||
The popup from behind is probably a Gecko bug, and a spoofing problem in its own right: bug 873810
THIS bug (with a higher severity) is that our password manager suggestions lend credence to the spoof and make it much more likely the user will fall for it.
|
Assignee | |
Comment 5•3 years ago
•
|
||
I'll take a look.
From the video it seems like what happens:
The http auth dialog is shown for the previous page. (Not getting cancelled on navigation?)[Edit: That assumption was wrong, the dialog is for the next page that should get loaded]- Autofill suggestions are shown for the current page. What's interesting here is that this doesn't seem to be our own suggestions, but come from Android's Autofill API (which is also confirmed by the user seeing suggestions from their accounts stored in Chrome). I'm curious whether we pass the domain along or whether the Autofill service tries to interpolate it from the view structure.
|
|
Assignee | |
Comment 6•3 years ago
|
||
The password suggestions are coming from the system's autofill provider (Android system API).
We try to give the system API a hint and tell it the domain to autofill for:
https://github.com/mozilla-mobile/android-components/blob/master/components/feature/prompts/src/main/java/mozilla/components/feature/prompts/dialog/AutofillEditText.kt
Unfortunately we pass along the URL of the current tab:
https://github.com/mozilla-mobile/android-components/blob/master/components/feature/prompts/src/main/java/mozilla/components/feature/prompts/PromptFeature.kt#L610
With this patch, we pass the URL the auth dialog is for instead (that we get from Gecko).
|
|
Assignee | |
Comment 7•3 years ago
|
||
|
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 8•3 years ago
|
||
Comment on attachment 9222615 [details] [diff] [review] 0001-AuthenticationDialogFragment-Use-URL-from-prompt-req.patch Review of attachment 9222615 [details] [diff] [review]: ----------------------------------------------------------------- Tested this patch against the provided sample page and verified that only logins matching the domain of the auth request are suggested.
|
|
Assignee | |
Comment 9•3 years ago
|
||
Comment on attachment 9222615 [details] [diff] [review]
0001-AuthenticationDialogFragment-Use-URL-from-prompt-req.patch
Security Approval Request
- How easily could an exploit be constructed based on the patch?: The patch exposes that we have been using the current page's URL for the autofill hint instead of the URL the auth dialog is for. With that information you may end up figuring out the spoofing shown in this bug.
However to be effective it needs: An Android device supporting the autofill API (Android 8+), the user to have setup an autofill provider (or using the default), the user having matching accounts stored in the autofill provider.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
- Which older supported branches are affected by this flaw?: All release versions of Firefox for Android
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?: Very unlikely.
|
|
Assignee | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
||
Comment 10•3 years ago
|
||
Comment on attachment 9222615 [details] [diff] [review]
0001-AuthenticationDialogFragment-Use-URL-from-prompt-req.patch
We're in RC week, approved to land
|
|
||
Comment 11•3 years ago
|
||
Adding bounty nomination at the request of the reporter (email to security@)
|
|
Assignee | |
Comment 12•3 years ago
|
||
- Patch landed in the branches A-C and Fenix Nightly.
- And patch landed in the A-C and Fenix branches for Fenix 89 (waiting for the next Beta/RC to get out).
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
Reporter | |
Comment 13•3 years ago
|
||
:pocmo Thanks for fixing this bug. I checked on Firefox Nightly and It's working fine.
:dveditz Does this bug qualify for bounty ? let me know.
Thanks,
Harshit Mahendra
|
||
Updated•3 years ago
|
|
|
||
Comment 14•3 years ago
|
||
|
|
||
Updated•3 years ago
|
|
|
||
Comment 15•3 years ago
|
||
The bug is flagged for the bounty committee and we will evaluate it in the coming weeks (probably next week.)
|
|
||
Updated•3 years ago
|
|
|
Reporter | |
Comment 16•3 years ago
|
||
:dveditz Thanks for the bounty ! Just wanted to ask what will be the next step to process bounty ?
|
|
||
Comment 17•3 years ago
|
||
Harshit - I will be doing the paperwork on our end and emailing you
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
Description
•