Closed Bug 1875925 (CVE-2024-31392) Opened 2 years ago Closed 2 years ago

Firefox on iOS incorrectly shows pages with Mixed Content as secure

Categories

(Firefox for iOS :: General, defect)

Product:
Firefox for iOS
Component:
General
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
fxios 124 ---

People

(Reporter: chaykin.artem, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(4 files)

Simulator Screenshot - iPhone 15 Pro - 2024-01-22 at 21.40.05.png
1.59 MB, image/png
Details
Safari debugger
775.48 KB, image/png
Details
Safari debugger fixed
861.73 KB, image/png
Details
advisory.txt
71 bytes, text/plain
Details

Firefox on iOS shows that the connection is not secure if a page has mixed content. For example HTTPS page that loads HTTP images or has an HTTP form. This is achieved by checking webView.hasOnlySecureContent flag.
Both examples can be observed on https://stoletheminerals.github.io/mixedcontent.html and https://stoletheminerals.github.io/mixedform.html
However, if the page dynamically add this content with a delay (I found that 1 second is enough to reproduce it), either an image or a form, or both, the URL bar icon will not update correctly and will show the page as secure, even though it isn't.
The PoC is here: https://stoletheminerals.github.io/mixedynamic.html

<body>
<script>
  setTimeout(function() {
      var image = document.createElement("img");
          image.setAttribute("src", "http://very.badssl.com/image.jpg");
          document.body.appendChild(image);
      const form = `
        <form action="http://stoletheminerals.github.io/mixedform.html" method="post">
          <label for="message">Message:</label><br>
          <textarea id="message" name="message"></textarea><br>
          <input type="submit" value="Submit">
        </form>
      `;
      document.body.innerHTML += form;
    }, 1000);
</script>
</body>
</html>

If you click on the lock icon in the URL bar the pop up will show that the page is insecure, but the main icon still shows this as secure (see screenshot attached).

Flags: sec-bounty?
Group: firefox-core-security → mobile-core-security
Component: Security → General
Product: Firefox → Firefox for iOS

It's possible the underlying webkit is implementing the newer version of the mixed-content spec and upgrading the display content rather than loading it insecurely (Firefox nightly on desktop is doing this, as has Chrome for a long while).

Or it could be an insecure load and we're not listening to some event from webkit that indicates the security state changed? Do you know, Laurie? I don't have a set up where I could debug this on iOS.

Not a terrible security problem or we wouldn't let the content load in the first place, but it's wrong not to inform users if some of the images are potentially tampered with.

Flags: needinfo?(lmarceau)
Keywords: sec-low
Attached image Safari debugger

Hi Daniel. It 100% loads it insecurely, you can check it in Safari's debugger (please check the new screenshot attached, that one was from Firefox that I built from GitHub sources). I don't think WebKit by default upgrades http media content. In Brave (https://github.com/brave/brave-ios/pull/8680) we achieve this by using a content blocker (https://developer.apple.com/documentation/safariservices/creating_a_content_blocker/), Chrome on iOS is using the same approach afaik.
Also the content blocker won't block/auto-upgrade HTTP forms.

Attached image Safari debugger fixed

Sorry, the previous screenshot didn't show the headers for some reason. Uploaded the new one. You can see that the request was sent to http:// first and badssl.com redirected it to https

Flags: needinfo?(lmarceau)

Hello thank you for opening this issue. This is great timing as there's currently undergoing work in this area. I tagged the related developer so he can have a look and confirm if this is already solved by an opened PR.

Flags: needinfo?(rlitianu)

hello @chaykin.artem I'm curious what is the expected behaviour. My understanding is for all test websites Firefox for iOS should show the lock icon crossed and the website should be marked as not secure?

Hi Razvan. Yes, pretty much, all the test pages should show the Not secure icon. If you can check https://stoletheminerals.github.io/mixedynamic.html in Chrome iOS it will update the url bar icon once the untrusted content is loaded after the delay. I think the correct approach would be to monitor hasOnlySecureContent state and change the url bar icon once it starts to return false

Cool. I have a PR open with a fix for the tracking protection lock icon. From my testing it seems to work now.

Flags: needinfo?(rlitianu)

I tested your branch and can confirm it works correctly now

Group: mobile-core-security → core-security-release
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
tracking-fxios: --- → 124
Resolution: --- → FIXED
Flags: sec-bounty? → sec-bounty+

Verified as fixed on v124 (39092) with iPhone 15 Pro (17.1.2).

Status: RESOLVED → VERIFIED
Attached file advisory.txt
Alias: CVE-2024-31392
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: