Open Bug 1731181 Opened 3 years ago Updated 1 year ago

Address bar, security windows show origin elided insecurely, allows URL spoofing

Categories

(Focus :: General, defect, P3)

Product:
Focus
Component:
General
Platform:
Unspecified
Android
Type:
defect

Tracking

(Not tracked)

People

(Reporter: bugzilla-mozilla, Unassigned)

References

(
URL
)

Details

(Keywords: csectype-spoof, sec-low)

Attachments

(8 files)

Firefox-Desktop-Windows
44.02 KB, image/png
Details
Firefox-Desktop-Windows-AddrBarFocused
68.86 KB, image/png
Details
Firefox-Android.jpg
38.33 KB, image/jpeg
Details
Firefox-Android-AddrBarFocused.jpg
164.15 KB, image/jpeg
Details
Firefox-Android-SecurityInfo.jpg
114.59 KB, image/jpeg
Details
Firefox-Focus-Android.jpg
65.72 KB, image/jpeg
Details
Firefox-Focus-Android-AddrBarFocused.jpg
68.12 KB, image/jpeg
Details
Firefox-Focus-Android-SecurityInfo.jpg
64.37 KB, image/jpeg
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36

Steps to reproduce:

This report is for Firefox Desktop, Firefox for Android, and Firefox Focus for Android.

In all of the above, the address bar shows the beginning of the origin in the address bar. When a long origin is used, this can lead to origin spoofing.

In Firefox Focus, this is particularly bad since tapping the security indicator still does not show the full origin or the end of the origin.
In Firefox for Desktop and Firefox for Android, tapping the security indicator will show the full origin correctly.

In Firefox for Desktop, focusing the address bar keeps showing the beginning of the origin (unsafe).

In Firefox for Android and Firefox Focus for Android, focusing the address bar will show the end of the URL (unsafe). This is unsafe since a long path can also obscure the end of the origin.

This may be a partial duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=1598175 (Firefox for Desktop) and https://github.com/mozilla-mobile/fenix/issues/6762 (Firefox for Android). I wasn't able to find a public report for Firefox Focus.

This was discovered/discussed publicly on Twitter: https://twitter.com/AlesandroOrtizR/status/1438675521555025922

  1. Go to https://badssl.com
  2. Navigate to any of their long origin examples
  3. Observe address bar and tap security indicator

Actual results:

Address bar in...
Firefox Desktop, Firefox for Android, and Firefox Focus for Android: Shows beginning of origin (https://subdomain...) (unsafe)

When tapping security indicator in...
Firefox Desktop and Firefox for Android: Full origin is shown (safe)
Firefox Focus for Android: Beginning of origin is shown (unsafe)

When focusing address bar in...
Firefox Desktop: Beginning of origin is shown (unsafe)
Firefox for Android and Firefox Focus for Android: End of URL is shown (unsafe because long path can also hide origin)

Expected results:

Address bar in...
All identified products: Shows end of origin (https://...badssl.com)

When tapping security indicator in...
All identified products: Full origin is shown; if elision is needed, show end of origin

When focusing address bar in...
All identified products: End of origin is shown (note: not end of URL)

Attached image Firefox-Desktop-Windows
Attached image Firefox-Android.jpg

Repro and attached screenshots from Firefox 92 on Windows 10, Firefox 92.1.1 on Android 11, and Firefox Focus 92.1.1 on Android 11.

This should be split into at least a desktop issue and a mobile issue. We may want to further break this into Fenix and Focus issues as they have separate address bars.

(In reply to Kevin Brosnan [:kbrosnan] from comment #11)

This should be split into at least a desktop issue and a mobile issue. We may want to further break this into Fenix and Focus issues as they have separate address bars.

We already have a desktop issue (bug 1598175) and a fenix issue ( https://github.com/mozilla-mobile/fenix/issues/6762 ). I don't know about Focus.

Since we already have those other issues let's make this the "Focus" one.

These are known UI issues (e.g. we have ourselves contributed to badssl.com) so we don't need to hide this bug.

Group: mobile-core-security
Keywords: csectype-spoof, sec-low
Product: Fenix → Focus
See Also: → 1598175, https://github.com/mozilla-mobile/fenix/issues/6762
Version: unspecified → ---
OS: Unspecified → Android
Component: Security: Android → General

This bug will require guidance from UX design.

Severity: -- → S3
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
See Also: → 1670725
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: