1905749 - (CVE-2024-53976) Address bar spoof ios show blank

Status: VERIFIED FIXED

(Firefox for iOS :: Browser, defect)

Description

[bharat]

Hi there is a issue where am able to send the user from a link to no url even about:blank not showing on adress bar
Go to mrnoob790.github.io/blank.html
There is a button iff u hold it u will see the website url but just click it and u will see no url on adress bar but the page is still there

Comment 1

[bharat]

<script>
function pwned() {
var t = window.open('', 'ss');
t.document.write(`<h1>Paypal has been moved to</h1><a href="https://evil.com">Evil.com</a>`);
t.stop();
}
</script>
<a href="https://legitsite.com" target="ss" onclick="setTimeout('pwned()','500')">click me2</a>

Comment 2

[Daniel Veditz [:dveditz]]

Attachment: poc.html

Comment 3

[bharat]

Thanks daniel for attach the poc file .i forgot to attach the html file

Comment 4

[Daniel Veditz [:dveditz]]

Your PoC doesn't even execute because markdown ate your quotes. Please actually attach testcases, don't write them in contents where no one can execute them and they might have formatting issues. (plus they might be wrong)

Comment 5

[Daniel Veditz [:dveditz]]

Attachment: poc-redux.html

Comment 6

[Daniel Veditz [:dveditz]]

We used to show literal "about:blank" for an about:blank window (see bug 1738053). I guess we fixed that for empty windows (which we the spec says we should but then STILL didn't fix the the important part which was updating the URLto be the origin of the scripting context if the contents were changed.

Blank is worse than the original "about:blank" problem <facepalm>

Comment 7

[bharat]

Waiting for the team to verify and fix the issue

Comment 8

[bharat]

Any update sir

Comment 9

[mreagan]

Can anyone please confirm: the vulnerability here is that the user is redirected to a potentially malicious page and the URL in the address bar is not correctly being updated (it is remaining blank), is that correct?

Comment 10

[bharat]

(In reply to mreagan from comment #9)

Can anyone please confirm: the vulnerability here is that the user is redirected to a potentially malicious page and the URL in the address bar is not correctly being updated (it is remaining blank), is that correct?

Should i need to attach poc again ?

Comment 11

[mreagan]

Note: tracking with Jira https://mozilla-hub.atlassian.net/browse/FXIOS-9483

Comment 12

[bharat]

(In reply to mreagan from comment #11)

Note: tracking with Jira https://mozilla-hub.atlassian.net/browse/FXIOS-9483

Should i can also join ? There

Comment 13

[bharat]

(In reply to Daniel Veditz [:dveditz] from comment #6)

We used to show literal "about:blank" for an about:blank window (see bug 1738053). I guess we fixed that for empty windows (which we the spec says we should but then STILL didn't fix the the important part which was updating the URLto be the origin of the scripting context if the contents were changed.

Blank is worse than the original "about:blank" problem <facepalm>

Yes i seen these issues in brave
Your adress bar show blank and when u click on adress bar its show about:blank.

Comment 14

[bharat]

Is that bug confirmed ...?

Comment 15

[bharat]

Any update guys its been a week no update

Comment 16

[bharat]

Hi any update ?

Comment 17

[mreagan]

This issue may be addressed as part of forthcoming work to update the toolbar in the iOS client. I reached out to the relevant team members to confirm if we have an ETA on the fix (or whether this should potentially be addressed separately before then).

Comment 18

[bharat]

Thanks for the update i hope it will fix fast

Comment 19

[bharat]

Did u got reply from team when will its fix or ship

Comment 20

[mreagan]

Following up again to find out if this will be addressed by the current toolbar work happening in the iOS client.

Comment 21

[bharat]

Okk

Comment 22

[bharat]

Nust checked in new update these bug is not resolved

Comment 23

[bharat]

Hi @mreagan did u got any update from dev team when will these patched ?

Comment 24

[mreagan]

It doesn't look like this will be addressed by the forthcoming iOS toolbar updates, I'm reaching out again to the team to double-check on when this can be prioritized.

Comment 25

[bharat]

Why its taking time 😅 i reported one bug in chrome in same timeline when i reported these and that bug is low priority issue bug its fixed realeased got bounty everything privious month and these one still there

Comment 26

[bharat]

Hey @mregan any update

Comment 27

[mreagan]

@bharat I'm reaching out to the iOS team again to see if we have any available engineers to investigate the fix here.

Comment 28

[bharat]

@mregan did u recive any update from engineers team

Comment 29

[mreagan]

@bharat Yes the ticket is currently being investigated by iOS engineering. As soon as we have any additional updates we'll be sure to post here.

Comment 30

[bharat]

So finally these one will be fixed

Comment 31

[Nishant Bhasin]

Hi, was looking into this and was wondering is the main issue that you see a blank page or the fact that its opening a link after 500MS?
Is the idea that when a user taps on the link they shouldn't be seeing the evil website? (just double checking here)

Edit: I also see that you mention there is no url in the urlbar but is that for legit website or your evil website?

Asking all these questions so I understand the complexity of the bug here.

Thanks

Comment 32

[bharat]

Hi So u will see when u go to blank.html there is click me buttom iff u hold it it will show its open legit web and when u click it it open blank url spoof page yes its mine website page .

Comment 33

[bharat]

I mean that blank url page is mine website page its need to show about:blank

Comment 34

[Nishant Bhasin]

Yes I see the blank page (legitwebsite link) but whats the issue?

a) Is it the fact that the url bar is not updated?
b) Is it opening another evil page?

or its both?

Comment 35

[bharat]

Its both

Comment 36

[bharat]

If u see these in firefox desktop u will see that evil page url will show my website where victim will know its open my website page

Comment 37

[bharat]

@nishant bhasin check in chrome ios u will see it will not open that blank adressbar page

Comment 38

[bharat]

When will its fix 🙄

Comment 39

[bharat]

(In reply to Nishant Bhasin from comment #34)

Yes I see the blank page (legitwebsite link) but whats the issue?

a) Is it the fact that the url bar is not updated?
b) Is it opening another evil page?

or its both?

When will be its patched @nishant

Comment 40

[mreagan]

@bharat We are investigating a fix, it will likely target the v133 release but once we have confirmed that I'll update. Thank you

Comment 41

[bharat]

Okk

Comment 42

[Andrei Bodea[:andrei]]

Verified as fixed on v133 (47401) with iPhone 15 Pro (18.2).
Here is a video showing that when clicking on the button it redirects correctly to the website.

Comment 43

[bharat]

Hi yes i just tried v133 beta its fixed now .

Comment 44

[bharat]

Hi when will be bounty and cve announced ?

Comment 45

[mreagan]

Hi Bharat, for any questions involving bounties you'll want to email security@mozilla.org. The CVE should be available a bit closer to the v133 RC release date.

Comment 46

[Daniel Veditz [:dveditz]]

We will contact you outside the bug about the bounty. The CVE is usually issued when we're creating the site updates for the final release and advisories.

Comment 47

[bharat]

Okk thanks .

Comment 48

[bharat]

Hi is these issue awarded 500$ its so low even chrome awarded similar type bugs 1k +

Comment 49

[Daniel Veditz [:dveditz]]

We did not consider this a convincing spoof that would fool very many people. But also the payment ranges on our bug bounty program reflect the fact that Mozilla has 1,000 employees and is owned by a non-profit, compared to Google who has 180,000 employees and makes $300 billion a year.

Comment 50

[bharat]

Okk

Comment 51

[mlichtenstein]

Attachment: advisory.txt

Comment 52

[bharat]

Comment on attachment 9439771 [details]
advisory.txt

Please use Bharat(mrnoob) dont use adhikari