Closed Bug 1940875 Opened 1 month ago Closed 1 month ago

HTTP Authentication Spoof on Firefox for IOS & Android

Categories

(Firefox :: Security, defect)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1631073

People

(Reporter: frozzipies, Unassigned)

References

Details

(Keywords: reporter-external, Whiteboard: [client-bounty-form])

Summary & Details

This vulnerability occurs when there is a condition that Browser HTTP Authentication can be spoof. This means that the omnibox will show paypal.com for example, while the omnibox still shows paypal.com, the HTTP authentication prompt from https://eviltrap.site will appear.

Steps to Reproduce

  1. Access the PoC page using Firefox for IOS & Android (https://frozzipies.github.io/httpauthspoof.html)
  2. Press the button
  3. You will see that the URL omnibox will show paypal.com and the HTTP Authentication Pop Up that come from https://eviltrap.stie will appear when the omnibox still on paypal.com

I've attach PoC, Source Code, etc here:
https://drive.google.com/drive/folders/1AkQv0YXYTUMr3_Y2S1bGQzQtAHFxCPIy?usp=sharing

Similar issue references:
https://issues.chromium.org/issues/40055876

Flags: sec-bounty?

Hi! Author of eviltrap.site here. I'm pretty sure this is just a copy of https://github.com/Trikolon/evil-traps/blob/master/src/traps/http-auth-spoof/index.js. You're even using my endpoint in your PoC. This is originally from Bug 791594.

Desktop has fixed this but it's possible mobile has not. This is a known issue so I don't think this bug needs to be hidden.

See Also: → 791594
Status: UNCONFIRMED → RESOLVED
Closed: 1 month ago
Duplicate of bug: 1631073
Resolution: --- → DUPLICATE
See Also: → 1631073
Flags: sec-bounty? → sec-bounty-

Can we open this up as a duplicate of bug 1631073, which is public? I'm not sure why bug https://bugzilla.mozilla.org/show_bug.cgi?id=1908869 is still hidden though.

Sounds good. I can't speak for the other bug but since this is a duplicate of a public bug we should make it public.

Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.