Addressbar entry with "something@domain.example " should be a search
Categories
(Firefox for iOS :: General, task)
Tracking
()
People
(Reporter: bauert20, Unassigned)
References
()
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(2 files)
Insecure URL Validation in Mozilla Firefox iOS app
Hello, I recognize this may already be an accepted risk given the history of Mozilla's program, but I wanted to report it nonetheless. In the Firefox Android app, if a victim navigates to the PoC URL https://google.com.@bing.com, the user is warned about the presence of the @ character which will insecurely redirect users to a malicious site. However, in the iOS app, that is not the case. The user is automatically directed to the site despite the presence of the @ character in the URL.
Please see the attached screenshot (Android app) and brief PoC video (iOS app) for evidence of the issue.
In addition, I first came upon this issue as the issue also exists when scanning QR codes that contain the same URL string https://google.com.@bing.com where the @ character is insecurely parsed to redirect to the malicious site.
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
For comparison, if you use the same URL bing.com@google.com in the Google Chrome or Safari apps, the user is redirected to a search engine query (whatever the default search engine is), mitigating the issue entirely. If this will be Triaged as a valid security issue then please let me know as I'd like to submit similar behavior in a second report for another affected Mozilla app. Thank you!
|
||
Comment 5•2 years ago
|
||
Android does that because the Gecko engine does that, and that check in Gecko is because ancient phishing campaigns in the days of plaintext-but-linkified mail, chat, and blog comments used that format to trick people about what domain people are visiting. It's not really a thing phishers do these days. It affects text entered into the addressbar as a consequence, but people typing these manually weren't the target.
On iOS the webkit engine doesn't have this warning. Without the scheme in front our address bar heuristics shouldn't match this as a URL because an intentional use of the "user:pass@" URL syntax is almost non-existant. We should defer to a search like Safari and Chrome.
Without an explicit scheme we should do the same on Android and Desktop, too!
But this doesn't need to be hidden as a security bug.
If this isn't a security bug then we can move this issue to the Github issue tracker: https://github.com/mozilla-mobile/firefox-ios/issues/new/choose
|
|
||
Comment 7•2 years ago
|
||
Although Desktop and Android do have the warning, we still ought to do a search on these non-URLs rather than adding the scheme to turn them into URLs.
|
|
||
Updated•2 years ago
|
But this doesn't need to be hidden as a security bug.
I don't entirely agree with this, but I recognize classifying this as a security issue versus software bag is very subjective. There are many disclosed reports for various bug bounty programs outlining the use of the @ to perform open redirect attacks. I classified it as a security issue given the phishing attack component and lack of a warning prompt in iOS. This issue is also present in the Firefox Focus app as well.
I can provide more examples of similar publicly disclosed bugs that were treated as security issues, but if you've already made a final ruling on classifying this as a software bug then I'll respect the team's decision. Thank you!
Am I allowed to comment on https://bugzilla.mozilla.org/show_bug.cgi?id=1851722 too? You stated: "We do give users an obscure warning about phishing if they do this, but it's such an obscure feature that people don't even know what that means.", but that is not true for the iOS Firefox and Firefox Focus apps.
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
Description
•