Closed Bug 1712240 Opened 3 years ago Closed 3 years ago

Firefox webpages can launch custom tabs via intents (and cause crash)

Categories

(Fenix :: General, defect)

Unspecified
Android
defect

Tracking

(firefox90 wontfix, firefox91 wontfix, firefox92 fixed)

RESOLVED FIXED
Tracking Status
firefox90 --- wontfix
firefox91 --- wontfix
firefox92 --- fixed

People

(Reporter: tester01, Assigned: royang)

References

Details

(Keywords: csectype-priv-escalation, sec-moderate, Whiteboard: [adv-main92+])

Attachments

(2 files)

Firefox has several intent processors, one of those is for creating CustomTabs in CustomTabIntentProcessor.kt. However this intent can be triggered from a normal firefox webpage to open an arbitrary URL. Additionally the webpage can specify many ui elements such as menu items and url bar color. This give the tab more control of the browser UI then it should have, in my opinion.

Example triggering custom tab:

location.href='intent://example.com#Intent;scheme=http;package=org.mozilla.firefox;S.android.support.customtabs.extra.SESSION=asdf;i.android.support.customtabs.extra.TOOLBAR_COLOR=-16776961;end'

Example of crashing app on page load

location.href='intent://example.com#Intent;scheme=http;package=org.mozilla.firefox;S.android.support.customtabs.extra.SESSION=asdf;i.android.support.customtabs.extra.TOOLBAR_COLOR=0xa;end'

Also I noticed if you pass an invalid integer (0xa or 4294967295) it will cause firefox to crash on page load (stack trace attached). Additionally I'm not sure if this is a quirk of intents but the color integer value is signed, so you have to actually pass negative colors to get more then 0x7f alpha. (ie 0xff0000ff -> -16776961)

There are at least two issues here: the ability to launch intents, and the fact that this particular handler could be crashed by any app that wants to crash us. The crash itself does not appear exploitable beyond the Denial of Service aspect.

I feel like we already have a bug on the intents issue (in general, not custom tabs specifically). If we allow them at all they must be treated the way we treat external protocol handlers (custom schemes like zoommtg:) because they can and will be abused in all the same ways. Beyond external intents which we might have to allow, we should not accept intents from web content that boomerang back to ourselves.

I guess rating this sec-moderate as a "vector" type issue, though in particular cases (see the other custom tab bug) this will lead to more severe issues.

Assignee: nobody → royang
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Group: mobile-core-security → core-security-release
Whiteboard: [adv-main92+]
Attached file advisory.txt
Group: core-security-release
Component: Security: Android → General
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: