Closed Bug 1878489 (CVE-2024-38313) Opened 1 year ago Closed 9 months ago

URL spoofing by abusing auto hide URL bar feature (FxiOS)

Categories

(Firefox for iOS :: Browser, defect)

Product:
Firefox for iOS
Component:
Browser
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
fxios 127 ---

People

(Reporter: sdna.muneaki.nishimura, Unassigned)

References

(
URL
)

Details

(Keywords: csectype-spoof, reporter-external, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(2 files)

fxios_url_bar_spoofing.gif
1.79 MB, image/gif
Details
advisory.txt
230 bytes, text/plain
Details

When you scroll a page vertically, the URL bar is automatically hidden. And when you open a new window in this condition, the URL bar in the new window is sometimes kept hidden as well.

If the page content opened in the new window is long enough, the URL bar will reappear as you repeatedly scroll up and down. However, if the content is short, the URL bar is never displayed again until the page is reloaded.

This behavior can be abused for showing a fake address bar.

There are two ways to reproduce this attack scenario. One is easy but unstable, the other one requires some steps but stable.

Reproduction case #1 (unstable)
(1) Visit https://csrf.jp/2024/fxios-url-spoofing/
(2) Scroll down the page and tap the "Open Google" button
(3) Fake Google login page is shown in new tab but the address bar says this is "www.google.com"

Reproduction case #2 (stable)
(1) Visit https://csrf.jp/2024/fxios-url-spoofing/open_new_window.php
(2) Scroll down the page and long tap the text link
(3) Tap "Open New Tab" and "Switch"
(4) Fake Google login page is shown in new tab but the address bar says this is "www.google.com"

Flags: sec-bounty?
Group: firefox-core-security → mobile-core-security
Component: Security → Browser
Product: Firefox → Firefox for iOS

I haven't verified this, but the spoof looks convincing from the movie.

Keywords: csectype-spoof, sec-high

For context, there's a rework project in the pipeline to redo the whole URL bar/toolbar area. I shared this ticket with the responsible engineer working on that project, as this could be fixed at the same time.

PR https://github.com/mozilla-mobile/firefox-ios/pull/20014 has been merged; the fix will target v127 release of Firefox iOS.

Thanks for the correction. I confirmed that it has been correctly fixed.

Status: NEW → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
tracking-fxios: --- → 127
Group: mobile-core-security → core-security-release

Verified as fixed on v127 (41813) with iPhone 13 Pro (15.7.1).
For both cases present in the description I was able to verify that the original and iOS toolbar is correctly displayed at the top.

Status: RESOLVED → VERIFIED
Flags: sec-bounty? → sec-bounty+
Attached file advisory.txt
Alias: CVE-2024-38313
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: