Open Bug 1923786 Opened 1 year ago Updated 2 months ago

Browser unresponsive (dos) ios

Categories

(Firefox for iOS :: General, defect)

Product:
Firefox for iOS
Component:
General
Type:
defect

Tracking

()

People

(Reporter: mrnoob790, Unassigned)

Details

(Keywords: csectype-dos, reporter-external, sec-low, Whiteboard: [client-bounty-form])

Attachments

(2 files)

attack.html.txt
502 bytes, text/plain
Details
IMG_2259.png
200.37 KB, image/png
Details

go to mrnoob790.github.io/attack nd on page click 3-4 time go to google.com button then u will in other tab ur website will load slow otherwise dont load

Poc https://www.mediafire.com/file/rjrfv10e7m9s885/ScreenRecording_10-10-2024_00-28-07_1.mp4/file

Flags: sec-bounty?
Group: firefox-core-security → mobile-core-security
Component: Security → General
Product: Firefox → Firefox for iOS

Can you please attach a copy of the test case to this bug, even if it won't reproduce like that? It is difficult to do view source of a page that rapidly spam reloads and then navigates. Thanks.

Flags: needinfo?(mrnoob790)
Keywords: csectype-dos
Attached file attack.html.txt
Flags: needinfo?(mrnoob790)

In testing so far I haven't been able to replicate a full DOS here, though I might be doing something incorrectly. The closest I got was by spam-clicking the button in the linked page, and then rapidly switching back and forth between tabs. In that scenario I was able to get the attack page to lock up (and it appeared to cause other tabs to avoid loading) but that state was temporary and only lasted for about ~5 seconds in my case, after which the app appeared to resume functioning normally.

See these video https://www.mediafire.com/file/6uhus1rm31r5mz6/ScreenRecording_10-12-2024_09-19-06_1.mp4/
My internet speed is 100mbps

Is its ok ticket for firefox focus issue to be there or i need to create a separate one

Flags: needinfo?(mreagan)

Focus and Firefox for iOS are now built from largely the same codebase. For browser content related bugs like this let's assume they're both the same issue and will be fixed together.

Group: mobile-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: sec-bounty? → sec-bounty-

The severity field is not set for this bug.
:jeevans, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(jeevans)

Hi @bharat, you'll need to reach out to security@mozilla.org for questions involving bounty rewards.

I tested this POC again and based on what I can see there doesn't appear to be a DOS attack that requires a reboot of the user's device, or one that is persistent across browser restarts. I do see that the UI in the client locks up however when this JS is run, and in some cases the browser will likely need to be quit/relaunched (note: the distinction here is between relaunching the browser vs the entire device).

Note: for me, replicating this so far appears to require clicking multiple times on the JS link and then also switching immediately to a new tab (if I, for example, just close the current tab instead, I cannot replicate). My guess is this will probably be a factor in how this is prioritized given that it's a slightly unusual set of steps that a user would need to be coerced into performing, and once they relaunched their browser the issue is resolved.

@dveditz Can you advise on the security rating for this? Thank you

Flags: needinfo?(jeevans) → needinfo?(dveditz)

Note: our current severity ratings guideline (https://wiki.mozilla.org/Security_Severity_Ratings/Client) specifically mentions DOS requiring a client restart as sec-low, so I'm going to set that priority for now.

Flags: needinfo?(dveditz)
Keywords: sec-low
Severity: -- → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: