Closed Bug 1725626 Opened 3 years ago Closed 2 years ago

Strip "javascript:" scheme when pasting/dropping into the address bar to prevent socially engineered self-XSS

Categories

(Fenix :: Toolbar, defect)

Product:
Fenix
Component:
Toolbar
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: sharan23103, Unassigned)

References

Details

(Keywords: sec-low)

Attachments

(1 file)

POC
209 bytes, application/octet-stream
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36

Steps to reproduce:

Self UXSS have been identified in firefox andriod browser
,Normally while pasting javascript:URI in firefox desktop URLBAR/OMNIBOX the Javascript word is removed and also if we type also the XSS won't happen
.But in andriod browser it can be pasted and xss can done

1.Go to any website in firefox
2.Pase the url Javascript:alert(1) or Javascript:alert(document.cookie)

Actual results:

SELF UXSS

Expected results:

SELF UXSS

Any update?

Can confirm.

When fixing watch out for various attempts to bypass naïve matching like bug 1402896 and bug 1439396 (for one, be careful about normalizing before matching). Don't forget about drag-and-drop if that goes through a different path than pasting.

Same problem in Focus. It's a different implementation so I'll clone this bug.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-low
See Also: → CVE-2017-7839, 1439396, 656433, bookmarklet-xss
Summary: UXSS → Strip "javascript:" scheme when pasting/dropping into the address bar to prevent socially engineered self-XSS
Blocks: 1726050

Yes this same issue exist in focus.

Attached file POC
Flags: needinfo?(sarentz)

This has not been fixed in Focus, see bug 1726050 comment 1

Sorry for the confusion,This has not been fixed in Focus

Flags: needinfo?(sarentz)
See Also: → 1726050

hey any updates regarding this??

Flags: needinfo?(sarentz)
No longer blocks: 1726050
Group: mobile-core-security → core-security-release

will i get hall of fame or bounty for this submission ?

Flags: needinfo?(kbrosnan)
Flags: needinfo?(ryanvm)
Flags: needinfo?(kbrosnan)
Flags: needinfo?(dveditz)

I've added the bounty flag so it will be considered in our next meeting.

Flags: needinfo?(dveditz) → sec-bounty?

Fine ,Can i know what is bounty flag.

Regards
Sharan

Flags: needinfo?(tom)

The bounty flag indicates the status of a bounty; once a bounty is approved or decline it will be changed to + (plus, approved) or - (minus, declined). Right now it's set to '?' so it will show up in our query of 'issues to evaluate' at our next bounty meeting. If a bounty is approved the flag will be changed, and 1-5 days later I'll email you with details about how payment occurs, which typically takes 3-5 weeks from a bounty being approved.

Flags: needinfo?(tom)

Same problem in Focus. It's a different implementation so I'll clone this bug.

This turned out to be incorrect: it was not in the front-end UX code as I guessed but in the shared Android Components.

This bug is not eligible for a cash bounty but it is eligible for a Hall of Fame listing.

Group: core-security-release
Flags: sec-bounty?
Flags: sec-bounty-hof+
Flags: sec-bounty-
See Also: → https://github.com/mozilla-mobile/android-components/pull/11321

I don't know how you are saying this is not security bug.

Yes ,this attack need a minimal socail engineering but we can't say this as non security bug.

For attack scenario
the victim need to paste this in the url bar and need to send some sort of img i.e screenshot as [social engineering]to the attacker.

Flags: needinfo?(dveditz)

We did not say it wasn't a security bug; it is. But as described in our bug bounty policy vulnerabilities rated moderate or below are not guaranteed a bounty. Because of the level of user interaction required (especially on mobile where it's much more annoying to copy/paste) it was rated sec-low and did not qualify for a bounty; however we will include you in the Hall of Fame.

Flags: needinfo?(dveditz)

No the copy paste in mobile can be quiet easy too .
see this

An easy effortless scenario:
likely victim can easily copy in website where easy html /JS copy function i.e click /tap to copy and Victim can easily copy via keyboard clipboard.

https://drive.google.com/file/d/1qxCZk_9AZQS6mTJsSLcaGjuvAAl-V0Sw/view?usp=drivesdk

Flags: needinfo?(tom)
Flags: needinfo?(dveditz)
Flags: needinfo?(dveditz)
Flags: needinfo?(tom)
Flags: needinfo?(dveditz)

We discussed it again, but we haven't changed our decision

Flags: needinfo?(tom)

i don't know why you have not change your decision.

Flags: needinfo?(tom)

We reconsidered the submission but it still does not meet the criteria to receive a bounty. Please do not continue to ask.

Flags: needinfo?(tom)

i do know this is low severity bug.
lastly you only stated that this
" on mobile where it's much more annoying to copy/paste."
So i thought for this reason only this doesn't meet at least a low level severity .

As reporter if i know the reason for decision only , i can avoid reporting this kind of issue.

Even i don't want to waste my time here.

Flags: needinfo?(tom)

Bugs are for bug (defect) information; if you want to discuss bounty stuff please don't bother the developers (here in this bug) with it but mail the address given for our Bug Bounty program. You also may find the FAQ answers many of your questions. The program is directed primarily to stimulate research into finding bugs such as memory corruption that can lead to browser or even computer compromise ("0-days").

Please honor our Bugzilla participation rules

Flags: needinfo?(tom)
Component: Security: Android → Toolbar
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: