Closed Bug 1874560 (CVE-2024-5022) Opened 1 year ago Closed 1 year ago

iOS Firefox Focus file:// URI address bar spoofing

Categories

(Focus :: Security: iOS, defect)

Product:
Focus
Component:
Security: iOS
Version:
Firefox 126
Type:
defect

Tracking

(firefox126 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox126 --- fixed

People

(Reporter: proof131072, Unassigned)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(3 files)

1874560.html
249 bytes, text/html
Details
RPReplay_Final1705761043.mp4
5.35 MB, video/mp4
Details
advisory.txt
185 bytes, text/plain
Details

We are able to spoof address bar of iOS Firefox Focus with file:// URI as if we are on https.

This is worse than some spoof issues like https://bugs.chromium.org/p/chromium/issues/detail?id=809062 since file:// part is not viewable by users but only facebook.com just like when we are on https.

Flags: sec-bounty?
Attached file 1874560.html

Please Tap on Genius Cool Cat to reproduce this issue.

this doesn't work with other URIs like about://, data:// etc.

Group: firefox-core-security → mobile-core-security
Component: Security → Security: iOS
Product: Firefox → Focus

The URL bar does have the crossed out shield which I guess means not secure? But otherwise this looks fairly convincing from the video.

That's tracking protection, please tap on that to check SSL lock with secure.

Ah, right. Sorry for the confusion.

No problem, I'll add the video of that too.

Ah, SSL lock with secure is already shown in the demo video 0:04, sorry for the confusion.

Summary: OS Firefox Focus file:// URI address bar spoofing → iOS Firefox Focus file:// URI address bar spoofing

Hi James, just to clarify and make sure I'm understanding: the issue here is that the URL shown in the address bar is incorrect on Focus (and has been spoofed), is that correct? I noticed there were some comments regarding the SSL lock and wanted to just double-check whether there were any other security issues involved. Thank you

Hi mreagan, that's correct and it's a same bug that allows to spoof SSL lock as secured too (Full Address bar Spoof with SSL lock enabled).

Please test with https://bugzilla.mozilla.org/attachment.cgi?id=9372707 after logged in bugzilla on Focus.

hey James, I took a look yesterday both at Firefox and Focus and I was curious how spoofing works. It seems o Firefox we don't get a callback with the file://facebook.com and I'm looking to find why so that's one first difference.

Flags: needinfo?(proof131072)

Hi Razvan, thanks for letting me know.

That's because Focus allows to window.open() "file://facebook.com" while Firefox doesn't.

So the fix could be not allowing file:// to be opened with window.open() from Focus.

Flags: needinfo?(proof131072)

Could I have a review on my proposed solution? https://github.com/mozilla-mobile/firefox-ios/pull/19968.

Note: fix has been merged & backported, targeting v126

Hello, can you please provide some steps to verify this issue?

It's in comment 1 #c1: Login to bugzilla from Focus and follow the step, which is "Tap on Genius Cool Cat to reproduce this issue." with the attached 1874560.html file.

validated this issue using Focus v126 (41601). Confirming that taping on Genius Cool Cat user is not redirected to facebook.com anymore, but the user is redirected to pwning.click URL

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Group: mobile-core-security → core-security-release
Flags: sec-bounty? → sec-bounty+

[Tracking Requested - why for this release]:

status-firefox126: --- → fixed
status-firefox126: fixed → ---
status-firefox126: --- → fixed
Version: unspecified → Firefox 126
Attached file advisory.txt
Alias: CVE-2024-5022
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: