Closed Bug 1951533 (CVE-2025-3859) Opened 2 months ago Closed 26 days ago

iOS Firefox Focus elide URL allows address bar spoofing

Categories

(Focus :: Security: iOS, defect)

Product:
Focus
Component:
Security: iOS
Type:
defect

Tracking

(fxios138)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
fxios 138 ---

People

(Reporter: proof131072, Unassigned, NeedInfo)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [client-bounty-form])

Attachments

(2 files)

IMG_0049.png
71.27 KB, image/png
Details
advisory.txt
260 bytes, text/plain
Details

Since iOS Firefox Focus elides URL, address bar spoofing is possible like https://issues.chromium.org/issues/40087176

Steps to reproduce:

  1. Open https://long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com/ysigsgksgkskgslgsogslgslgslgslgslgsogsogsogslgsogsyosoys
Flags: sec-bounty?
Attached image IMG_0049.png

Firefox Focus in Android shares same code but iOS Focus does NOT shares same code to Firefox.

Group: firefox-core-security → mobile-core-security
Component: Security → Security: iOS
Keywords: dupeme
Product: Firefox → Focus

Hi, I see dupeme in some reports and may I know what's that for?

Also, is there any update where iOS Focus will also use Firefox just like Android, in the future? currently these two are different animals with a few similarity.

Flags: needinfo?(mreagan)

They used to be entirely distinct, but they are sharing many things now. Apparently not this, though.

Keywords: csectype-spoof, sec-moderate

Hi, I see dupeme in some reports and may I know what's that for?

It's when someone suspects an issue might be a duplicate, but they can't find a duplicate of the issue right away (or they have a potential dupe and they want someone to take a look and confirm).

mreagan, will iOS Focus also switch to the new toolbar?

It's when someone suspects an issue might be a duplicate, but they can't find a duplicate of the issue right away (or they have a potential dupe and they want someone to take a look and confirm).

Thanks for letting me know, Tom!

(In reply to Simon Friedberger (:simonf) from comment #5)

mreagan, will iOS Focus also switch to the new toolbar?

This is obviously subject to change and it would be best to confirm with Product, but my current understanding is that Focus iOS is in maintenance mode and will have no major feature updates for the foreseeable future.

This includes the recent toolbar UI updates implemented for Firefox. So this bug would need to be a one-off fix specific to Focus to address it there.

Flags: needinfo?(mreagan)

https://github.com/mozilla-mobile/firefox-ios/pull/25518
pr with a fix

Status: NEW → RESOLVED
Closed: 26 days ago
Resolution: --- → FIXED

This doesn't technically qualify for a bounty because the https://long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com/ problem is well-known and not original with you, but we are awarding a small award in appreciation that your report made sure this issue was not forgotten on Focus iOS.

Group: mobile-core-security
Flags: sec-bounty? → sec-bounty+
See Also: → https://github.com/mozilla-mobile/firefox-ios/pull/25518

Thanks for letting me know.

How does the test demo link https://long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com/ matters when this is about a long subdomain issue working on different product which is for Focus iOS?

This kind of reasoning to deduct the bounty amount is something new that I haven't experience during my journey of participating more than 100 of bounty programs.

we could of course just use one of my registered long subdomain websites like https://googleverifyaccountscloudplatform.geniuscoolcat.com/ for example.

I understand team is trying to say this "idea" is not the original, but deducting the bounty amount dramatically because of it is what I never experienced and don't understand, despite the actual impact being S1 in Google Chrome https://issues.chromium.org/issues/40087176 that was assigned as S1 which is High Severity which is same as sec-high in here for this report, which means impact wise this could at least grant high end of sec-moderate.

Especially, in the situation that I'm the only and first one who sent for that applicable product which is Focus iOS.

Let me bring some of my examples from multiple different vendors.

I had lot's of cases that I didn't use the original "idea" with many issues that affected multiple vendors (including vendors with bad reputations from infosec community, but even they did not deduct the bounty amount like this based on that.) like Opera browser or mail apps like Yahoo Mail and results are all full rewards with applicable impact they assigned which was P1 and High, with no deduction of reward amount, just because certain idea might have been known and that's used in the report.

Flags: needinfo?(dveditz)
tracking-fxios: --- → 138
Attached file advisory.txt
Alias: CVE-2025-3859
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: