iOS Firefox Download UXSS
Categories
(Firefox for iOS :: General, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| fxios | 129 | --- |
People
(Reporter: proof131072, Unassigned)
References
Details
(Keywords: csectype-sop, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(3 files)
We are able to achieve UXSS by downloading link, from inside frame to Top Origin and any site like https://google.com (I need to confirm and find the PoC for this case).
This is worse than the past bug with download https://bugzilla.mozilla.org/show_bug.cgi?id=1653827 since this is UXSS allowing all of them and stealing cookies etc.
|
||
Updated•2 years ago
|
One of the test cases resulted the overlay of the menu after navigation to https://google.com so download lead to UXSS on https://google.com . I can't find that exact case at the moment but I attached the frame to Top Origin like past issue (https://www.mozilla.org/en-US/security/advisories/mfsa2020-34/).
I found that and decided to open new report https://bugzilla.mozilla.org/show_bug.cgi?id=1874964 since overriding context menu on any site we are targetting will likely require separate fix then this download UXSS issue.
Maybe https://bugzilla.mozilla.org/show_bug.cgi?id=1874907 could merge to this though if I can't find any other way to abuse it, while the content is different it looks like one fix could fix both of these reports.
|
||
Comment 5•2 years ago
|
||
The attachment and bug description leave a lot of gaps you have to fill in yourself. what is happening:
- Testcase is a "victim" page, on the bmoattachments.org site. It frames a different origin, the attacker https://pwning.click
- The framed attacker has an
<A>link that contains a javascript: URL. It's perfectly valid as a link for it to do stuff in the pwning.click page. - the victim wants to download that link and long-presses
- the URL is spoofy due to a javascript comment
- when the user "downloads" the javascript is run. But it is run in the context of the TOP page, not the framed origin it came from
This is cross-site scripting, somewhat mitigated by the fact that a victim site has to frame the malicious content, and the victim user has to want to "download" something.
The framed content is
<a href="javascript://m.facebook.com/photo.php?fbid=111789595853599&set=a.111055039260388.1073741826.100010676767694&type=3&theater%0Adocument.write(document.domain)">Please download this Facebook link</a>
Everything up to the %0A encoded line-break is a comment.
Running Javascript as a download is already a bug (bug 1874907), but running it in the wrong origin turns it into a big security problem (with some mitigations, as mentioned)
|
|
||
Updated•2 years ago
|
Yeah sorry for that, I can't type too long due to injury for now so I relied on the fact that https://bugzilla.mozilla.org/show_bug.cgi?id=1653827 already had as a test case for the framed page with link download.
|
||
Updated•1 year ago
|
|
||
Comment 7•1 year ago
|
||
Verified as fixed on v129 (43869), with iPhone 15 Pro (17.5).
I confirm that javascript:// did not run when downloading the link.
Please note that I followed the steps from this issue. Comment 4.
We don’t have a Download Link button in the Context Menu.
|
|
||
Updated•1 year ago
|
Note: tracking with Jira https://mozilla-hub.atlassian.net/browse/FXIOS-9254
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
bug 1874964 need to be closed too since the fix for bug 1874907 resolved both this one and bug 1874964
Worst impact is in bug 1874964 which could grant low-end sec high due to almost same impact to this low end sec-high context menu UXSS: https://bugzilla.mozilla.org/show_bug.cgi?id=1465160
Please check in the meantime, thanks!
|
||
Comment 10•1 year ago
|
||
|
|
||
Updated•4 months ago
|
Description
•