Open Bug 1770227 Opened 2 years ago Updated 16 days ago

NotificationDB.sys.mjs does not perform origin checks on received messages

Categories

(Core :: DOM: Notifications, defect)

Product:
Core
Component:
DOM: Notifications
Type:
defect

Tracking

()

People

(Reporter: tjr, Unassigned)

References

(Blocks 1 open bug)

Details

This would allow a rogue content process to forge Notifications from another domain, which could be used for phishing-type attacks.

Component: IPC → Notifications and Alerts
Product: Core → Toolkit
See Also: → CVE-2022-1802

The severity field is not set for this bug.
:tspurway, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(tspurway)

:mardak, could you take a quick look at this - it sounds a bit sinister

Flags: needinfo?(tspurway) → needinfo?(edilee)

gerard-majax, do you recall if origin checks weren't necessary for some of these messages?

Flags: needinfo?(edilee) → needinfo?(lissyx+mozillians)

I see two NotificationDB.jsm, which one are we talking about ?

Flags: needinfo?(lissyx+mozillians)

This probably applies to both the old and new implementation (new is used on Nightly, old is used on other branches).

(In reply to Ed Lee :Mardak from comment #3)

gerard-majax, do you recall if origin checks weren't necessary for some of these messages?

I'm sorry, but this is code that was already there, and I really have no memory of that specific point. Is it possible this is code that back then was only exposed through privileged APIs and not to general content, and this we did not really had to care?

This code has only ever been exposed through privileged APIs. The concern is about privilege escalation when a content process gets taken over by a hostile website. eg if you visit evil dot com and that website manages to use an exploit to take over the child process, we don't want it to be able to start pushing out things that look like Gmail notifications.

(In reply to Andrew McCreight [:mccr8] from comment #7)

This code has only ever been exposed through privileged APIs. The concern is about privilege escalation when a content process gets taken over by a hostile website. eg if you visit evil dot com and that website manages to use an exploit to take over the child process, we don't want it to be able to start pushing out things that look like Gmail notifications.

My point being, I have no memory of specifically having to work on the origin part, so I really dont remember anything specific about it. The only memory I have about it is being used for indexing in the database, and so I assume we expected code calling us to have done the checks.

The severity field is not set for this bug.
:tspurway, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(tspurway)
Severity: -- → S3
Flags: needinfo?(tspurway)
Component: Notifications and Alerts → DOM: Notifications
Product: Toolkit → Core
Component: DOM: Push Subscriptions → DOM: Notifications
Summary: NotificationDB.jsm does not perform origin checks on received messages → NotificationDB.sys.mjs does not perform origin checks on received messages
You need to log in before you can comment on or make changes to this bug.