iOS Firefox Focus UXSS
Categories
(Focus :: Security: iOS, defect)
Tracking
(firefox122+ fixed)
People
(Reporter: proof131072, Assigned: lmarceau)
References
Details
(Keywords: csectype-sop, reporter-external, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(6 files)
We are able to achieve UXSS on iOS Firefox Focus with window.open().
document.write shows we are escalating to legitimate top origin site.
PoC demo
Legitimate Top Origin Site: https://qrcodescanerror.000webhost.com/UXSS.php
<iframe src="https://pwning.click/uxsstester.php"/></iframe>
Cross-Origin Malicious Evil Site: https://pwning.click/uxsstester.php
<script>
function a(){
window.open('javascript:document.write(document.domain)', 'x');
setTimeout(function(){
window.open('');
}, 500000);
}
</script>
<center><input type="button" class="button" value="Trigger UXSS!" onclick="a()"></center>
Updated•1 year ago
|
Comment 1•1 year ago
|
||
The site https://qrcodescanerror.000webhost.com/UXSS.php appears down or unreachable from California. Thank you for including the testcase source in the bug this time.
Comment 2•1 year ago
|
||
Comment 3•1 year ago
|
||
I could not reproduce the claimed UXSS using the the PoC I attached based on comment 0. Since the main work is done by the framed pwning.click page it shouldn't have been possible for me to screw that up, but please check.
The results I see:
- clicking on the "Trigger UXSS" button causes a new window
- that window says "about:blank" in the address bar (expected for script-created content)
- the content of the window says
pwning.click
(the output ofdocument.domain
) - never see a second window open after a 500 second timeout even though I kept my device from going asleep for more than the full 8+ minutes. I'm not sure what opening a blank window that late would accomplish, plus I'd expect safari to block it since the "user activation" was already consumed by the first popup.
I don't see an XSS here: the framed content was hosted at pwning.click, and the new window also appears to be the domain pwning.click.
Expected results according to comment 0
My interpretation of "document.write shows we are escalating to legitimate top origin site." (which matches my definition of XSS) means I should have seen the text bug1855030.bmoattachments.org
, or if I was able to load the site mentioned in comment 0 I should have seen qrcodescanerror.000webhost.com
I'm using Firefox for iOS 117.3, on iOS 16.7
James: what version of FIrefox for iOS were you testing? Can you still reproduce this? What version of iOS do you have, and can you reproduce this on the Safari on your machine?
Latest iOS and please test on Firefox Focus not Firefox.
And no, it doesn't work on Safari but only on Focus. I also confirmed that JavaScript runs on Top Origin Site https://bug1855030.bmoattachments.org with your attached test case.
There is also a side impact of Focus showing empty address bar, which is an example of blank address bar spoof to use it together with https://bugzilla.mozilla.org/show_bug.cgi?id=1853592 so I'll add it on that report.
Please note that for both reports, there was some confusion from your side since testing should be done on "Focus" but it was done on Firefox.
I understand this can happen time to time so please check on that part and test on Focus. Thanks!
Comment 6•1 year ago
|
||
please test on Firefox Focus not Firefox.
Ugh, sorry, wasn't paying enough attention to what I was doing.
Updated•1 year ago
|
Comment 7•1 year ago
|
||
If this isn't fixed by the same thing as bug 1855575 then this is sec-high.
Comment 8•1 year ago
|
||
The severity field is not set for this bug.
:jeevans, could you have a look please?
For more information, please visit BugBot documentation.
I believe this is sec-critical due to identical impact to bug id 1719026 Android Firefox Focus Semi-UXSS I discovered before which was assigned as sec-critical without Full UXSS part I described on https://bugzilla.mozilla.org/show_bug.cgi?id=1719814 because of https://bugzilla.mozilla.org/show_bug.cgi?id=1719026#c8 (it's a reliable and easy attack vector that could spread quickly once known, and will be easy to deduce from most imaginable ways of patching this.)
Comment 10•1 year ago
|
||
Checking this as well, what are the steps here
visit: https://bug1855030.bmoattachments.org/ and then I land or bugzilla. While going https://pwning.click/uxsstester.php nothing happens.
Reporter | ||
Comment 11•1 year ago
|
||
Tap on Cool Genius Cat to reproduce this issue, thanks!
Reporter | ||
Comment 12•1 year ago
|
||
Comment 13•1 year ago
|
||
But how would one do that on a Focus browser, this needs to be deployed to a webpage page right?
Comment 14•1 year ago
|
||
My steps are
- https://pwning.click/uxsstester.php
- Tap on Cool Genius Cat
- Nothing happens
See the attachment in my next comment, lmk if there are any other steps
Comment 15•1 year ago
|
||
Reporter | ||
Comment 16•1 year ago
|
||
You just need to click it which will load https://bug1855030.bmoattachments.org/attachment.cgi?id=9365073 and you can test it on there. document.domain should return the Origin we're running JavaScript which is https://pwning.click not https://bug1855030.bmoattachments.org
Reporter | ||
Comment 17•1 year ago
|
||
Try that by clicking on the attachment or on https://bug1855030.bmoattachments.org/attachment.cgi?id=9365073 not https://pwning.click/uxsstester.php
https://pwning.click/uxsstester.php is a main but frame document to test this UXSS vulnerability.
Reporter | ||
Comment 18•1 year ago
|
||
typo: *is not a main
Comment 19•1 year ago
|
||
Comment 20•1 year ago
|
||
Comment on attachment 9365077 [details]
Screenshot 2023-11-22v2.png
Tapping on the attachment shows its loading, is that what you meant James?
Reporter | ||
Comment 21•1 year ago
|
||
Yes, thanks for the confirmation!
Reporter | ||
Comment 22•1 year ago
|
||
Dan also explained this behaviour on https://bugzilla.mozilla.org/show_bug.cgi?id=1855030#c3 "Expected results according to comment 0" FYI.
Comment 23•1 year ago
•
|
||
Few things here
a) Focus doesn't have multi window support so I am not sure if this particular script is what I would consider UXSS
b) You are trying to run javascript and want to control that in WKWebview, that isn't something directly possible unless we disable it as whole. Firefox (Desktop) does the same by opening in a new link. You see about:blank in Firefox desktop as its a new tab. However in Focus we use the same webview and create one on top of the same webview.
I am not aware of any api that I can use that would help us intersect the request from that a() link
Reporter | ||
Comment 24•1 year ago
|
||
This is UXSS because of the reason you explained on "a)". Please check Android Firefox Focus version of this vulnerability I found before on https://bugzilla.mozilla.org/show_bug.cgi?id=1719026
Reply to "b)": I'm not trying but it's already UXSS since you can check document.domain value returned Top Origin site allowing to run any JavaScript (I know the size is small so it could be hard to see that but could be clearly checked from https://bugzilla.mozilla.org/show_bug.cgi?id=1855030#c19
Comment 25•1 year ago
|
||
Tracking it here: https://mozilla-hub.atlassian.net/browse/FXIOS-7773
Reporter | ||
Comment 26•1 year ago
|
||
Thanks! could we check we can reproduce https://bugzilla.mozilla.org/show_bug.cgi?id=1855117 and I have other bug that I'll report soon which I can prove this and https://bugzilla.mozilla.org/show_bug.cgi?id=1855117 is different root cause. Please also let me know on reproducing https://bugzilla.mozilla.org/show_bug.cgi?id=1855575 sometime later!
Thanks.
Assignee | ||
Comment 27•11 months ago
|
||
Comment 28•11 months ago
|
||
Hello, can someone help me with some steps on what needs to be verified here?
I wanna verify the fix and I wanna see how it was before and how it's now to make sure I verify it correctly.
Comment 29•11 months ago
|
||
I will ping you with steps [:andrei]
Updated•11 months ago
|
Comment 30•11 months ago
|
||
Verified as fixed on v9000 (17517) with iPhone 15 Pro (17.1.2).
Please note that there was no JS on the URL.
After tapping on the genius cat nothing happened.
Updated•11 months ago
|
Updated•11 months ago
|
Updated•11 months ago
|
Comment 31•11 months ago
|
||
This patch adds a call to URIFixup(), but presumably that only helps because the fix for bug 1855575 added a check for "javascript:" in URIFixup
Assignee | ||
Comment 32•11 months ago
|
||
Assignee | ||
Comment 33•11 months ago
|
||
[Tracking Requested - why for this release]:
Updated•11 months ago
|
Updated•11 months ago
|
Updated•6 months ago
|
Updated•3 months ago
|
Description
•