Closed Bug 1876851 Opened 1 year ago Closed 4 months ago

1863831 working on latest 122 iOS Firefox Focus via Apple default apps like iOS Mail App

Categories

(Focus :: Security: iOS, defect)

Product:
Focus
Component:
Security: iOS
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1863831

People

(Reporter: proof131072, Unassigned)

References

Details

(Keywords: csectype-sop, reporter-external, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

We are able to reproduce it via Apple default apps like iOS Mail App.

  1. Open https://pwning.click/googleloc.php and immediately leave the browser

2, Open Gmail and type in an Email Title: The first ever YouTube video

  1. "Text to display": https://www.youtube.com/watch?v=jNQXAC9IVRw

  2. "Link to: Web address": firefox-focus://open-url?url=javascript:document.write(document.domain)

  3. Send this to your iOS Apple Mail App sync'd email account address

Flags: sec-bounty?

Of course, the link could be any legitimate link instead like https://google.com, https://apple.com etc.

Group: firefox-core-security → mobile-core-security
Component: Security → Security: iOS
Product: Firefox → Focus
See Also: → CVE-2024-1563
Duplicate of this bug: CVE-2024-1563

The following steps are also another way to reproduce this issue (using Safari and provided links instead of Gmail) as seen in 1863831

Steps to reproduce

  1. Navigate to https://pwning.click/googleloc.php
  2. Leave Focus application (by moving it to background)
  3. Open Safari
  4. Navigate to https://pwning.click/focuslink.php in Safari
  5. Click on the link "Open with Firefox Focus"

Actual behavior

Focus is opened and JavaScript is running

Expected behavior

Focus is opened and JavaScript should not be running

No longer duplicate of this bug: CVE-2024-1563
Keywords: sec-high

This says it's a variant of bug 1863831, but tested in v122 while that bug appears to have been fixed in v123 (I think? checking on that). Is this perhaps exactly the same and is now fixed?

Flags: needinfo?(proof131072)

bug 1863831 was fixed on v122 https://github.com/mozilla-mobile/focus-ios/pull/3973

But I confirmed bug 1863831 and bug 1880745 were properly fixed on v123 for some reason.

Flags: needinfo?(proof131072)

Please confirm this report worked up to Focus v122.1 like we can check from this demo video link https://pwning.click/RPReplay_Final1708482262.mp4 despite the fix for v122 https://github.com/mozilla-mobile/focus-ios/pull/3973

Sorry for the needinfo here, I just want to make sure that we confirm the above comment.

(In reply to James Lee from comment #6)

Please confirm this report worked up to Focus v122.1 like we can check from this demo video link https://pwning.click/RPReplay_Final1708482262.mp4 despite the fix for v122 https://github.com/mozilla-mobile/focus-ios/pull/3973

Flags: needinfo?(nish.bhasin)
Flags: needinfo?(lmarceau)

(In reply to James Lee from comment #7)

Sorry for the needinfo here, I just want to make sure that we confirm the above comment.

(In reply to James Lee from comment #6)

Please confirm this report worked up to Focus v122.1 like we can check from this demo video link https://pwning.click/RPReplay_Final1708482262.mp4 despite the fix for v122 https://github.com/mozilla-mobile/focus-ios/pull/3973

Ah, I'll cancel needinfo since I should've added them on bug 1880745

Flags: needinfo?(nish.bhasin)
Flags: needinfo?(lmarceau)

Ah my bad, #c7 is correct; this is another one that was also fixed on v123 for some reason.

Sorry for the needinfo here, I just want to make sure that we confirm the above comment.

(In reply to James Lee from comment #6)

Please confirm this report worked up to Focus v122.1 like we can check from this demo video link https://pwning.click/RPReplay_Final1708482262.mp4 despite the fix for v122 https://github.com/mozilla-mobile/focus-ios/pull/3973

Flags: needinfo?(nish.bhasin)
Flags: needinfo?(lmarceau)

Hello, I tested in v123 and indeed it seems like this issue was fixed (we load a search with the "javascript" rather than running the javascript itself). Let me know if you think otherwise. Thank you!

Flags: needinfo?(nish.bhasin)
Flags: needinfo?(lmarceau)

Should this be marked as a duplicate, and/or fixed?

Flags: needinfo?(continuation)
Flags: needinfo?(14.jeevan)

I don't know.

Flags: needinfo?(continuation)

Per above comments it appears this was fixed in v123; it seems like we can safely close this, however if anyone has concerns that there are still remaining issues here please let me know. I'm not entirely sure why it wasn't closed earlier, it looks like it may be that it was resolved as a side-effect of a separate set of changes in Focus.

Flags: needinfo?(14.jeevan)

Note: Bugzilla does not allow me to set the Fix field to the applicable version (it only appears to provide the 3 most recent versions as options). @dveditz Is there any way to properly set that field in the ticket at this point?

Flags: needinfo?(dveditz)
Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED

(In reply to mreagan from comment #14)

Note: Bugzilla does not allow me to set the Fix field to the applicable version [...] @dveditz Is there any way to properly set that field in the ticket at this point?

Not really, short of asking admins to force it in there. But since there's no separate fix responsible for this it seems to be a dupe after all

Duplicate of bug: CVE-2024-1563
Flags: needinfo?(dveditz)
Resolution: FIXED → DUPLICATE
Flags: sec-bounty? → sec-bounty-
Group: mobile-core-security
You need to log in before you can comment on or make changes to this bug.