Firefox webpages can launch custom tabs via intents (and cause crash)
Categories
(Fenix :: General, defect)
Tracking
(firefox90 wontfix, firefox91 wontfix, firefox92 fixed)
People
(Reporter: tester01, Assigned: royang)
References
Details
(Keywords: csectype-priv-escalation, sec-moderate, Whiteboard: [adv-main92+])
Attachments
(2 files)
Firefox has several intent processors, one of those is for creating CustomTabs in CustomTabIntentProcessor.kt. However this intent can be triggered from a normal firefox webpage to open an arbitrary URL. Additionally the webpage can specify many ui elements such as menu items and url bar color. This give the tab more control of the browser UI then it should have, in my opinion.
Example triggering custom tab:
location.href='intent://example.com#Intent;scheme=http;package=org.mozilla.firefox;S.android.support.customtabs.extra.SESSION=asdf;i.android.support.customtabs.extra.TOOLBAR_COLOR=-16776961;end'
Example of crashing app on page load
location.href='intent://example.com#Intent;scheme=http;package=org.mozilla.firefox;S.android.support.customtabs.extra.SESSION=asdf;i.android.support.customtabs.extra.TOOLBAR_COLOR=0xa;end'
Also I noticed if you pass an invalid integer (0xa or 4294967295) it will cause firefox to crash on page load (stack trace attached). Additionally I'm not sure if this is a quirk of intents but the color integer value is signed, so you have to actually pass negative colors to get more then 0x7f alpha. (ie 0xff0000ff -> -16776961)
Comment 1•3 years ago
|
||
There are at least two issues here: the ability to launch intents, and the fact that this particular handler could be crashed by any app that wants to crash us. The crash itself does not appear exploitable beyond the Denial of Service aspect.
I feel like we already have a bug on the intents issue (in general, not custom tabs specifically). If we allow them at all they must be treated the way we treat external protocol handlers (custom schemes like zoommtg:
) because they can and will be abused in all the same ways. Beyond external intents which we might have to allow, we should not accept intents from web content that boomerang back to ourselves.
I guess rating this sec-moderate
as a "vector" type issue, though in particular cases (see the other custom tab bug) this will lead to more severe issues.
Updated•3 years ago
|
Assignee | ||
Comment 2•3 years ago
|
||
Assignee | ||
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Comment 3•3 years ago
|
||
Updated•3 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Description
•