Closed Bug 1954033 (CVE-2025-6433) Opened 1 year ago Closed 1 year ago

Incomplete WebAuthn implementation leads to signing of challenges without legit TLS-certificates

Categories

(Core :: DOM: Web Authentication, defect, P2)

Product:
Core
Component:
DOM: Web Authentication
Version:
Firefox 135
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
140 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox138 --- wontfix
firefox139 --- wontfix
firefox140 + fixed

People

(Reporter: firefox, Assigned: jschanck)

References

Details

(Keywords: reporter-external, sec-low, Whiteboard: [adv-main140+])

Attachments

(3 files, 1 obsolete file)

Firefox not blocking the passkey login while having a TLS error
97.32 KB, image/png
Details
Bug 1954033 - disallow WebAuthn when some certificate error overrides are used. r=keeler
48 bytes, text/x-phabricator-request
Details | Review
advisory.txt
394 bytes, text/plain
Details

Steps to reproduce:

scenario:
-DNS-Spoofed Website whats you to use Passkeys to login
-User has a valid Passkey for the spoofed site.
-Phishing site sends "rpid" of spoofed site.
-Phishing site has a valid TLS-Certificate for its own Domain, but obviously not for the -Spoofed site. (Firefox recognises this and warns user about it)
-User accepts the risk for the invalid TLS-Certificate

I can provide my testing infrastructure to you to reproduce the error or i can just give you the two websites i used to generate the error.

Actual results:

When i now enter the domain of the spoofed website, im actually on the phishing site. Firefox warns me, that the TLS-Certificate is not for the domain i wanted to open. I accept the risk and enter the website. I can now use the "Login with Passkey"- Button and sign the challenge with my Passkey for the spoofed website.

Expected results:

As of the WebAuth-API specifications https://www.w3.org/TR/webauthn-2/#web-authentication-api §5 the user-agent (in this case the firefox-browser) should only relay the rpid and the relayingparty Origin (domain) to the authenticator if a secure context is established. Because the TLS-Connection cant be considerd as a secure conenction, firefox should not call the webauthn-api and relay the data. Chromium-browser throws this error:"NotAllowedError: WebAuthn is not supported on sites with TLS certificate errors.", Brave this: "NotAllowedError: WebAuthn is not supported on sites with TLS certificate errors." This the error Firefox also should return.

Group: firefox-core-security → core-security
Component: Untriaged → DOM: Web Authentication
Product: Firefox → Core
Group: core-security → dom-core-security

WebAuthn is allowed in secure contexts, but the specification adds a further
restriction that on the web "this only includes [secure contexts] accessed via
a secure transport (e.g., TLS) established without errors." We had previously
allowed WebAuthn when a certificate error override was used in establishing the
channel. This patch disallows WebAuthn when an untrusted issuer or domain
override is used. We continue to allow WebAuthn when a validity period override
is used.

Assignee: nobody → jschanck
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Severity: -- → S3
Priority: -- → P2
Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/524b35624e79 disallow WebAuthn when some certificate error overrides are used. r=keeler

Backed out for causing wpt failures @ webauthn/createcredential-nested-frame.https.html:

[task 2025-03-18T06:05:56.304Z] 06:05:56     INFO - TEST-UNEXPECTED-FAIL | /webauthn/createcredential-nested-frame.https.html | navigator.credentials.create({publicKey}) in a javascript url should should succeed. - assert_equals: expected "OK" but got "Error: SecurityError: The operation is insecure."
[task 2025-03-18T06:05:56.304Z] 06:05:56     INFO - @https://web-platform.test:8443/webauthn/createcredential-nested-frame.https.html:39:20

Followed by three similar failures.

Flags: needinfo?(jschanck)
Backout by amarc@mozilla.com: https://hg.mozilla.org/mozilla-central/rev/539463c58823 Backed out changeset 524b35624e79 for causing wpt failures @ webauthn/createcredential-nested-frame.https.html CLOSED TREE
Keywords: sec-low

There is an r+ patch which didn't land and no activity in this bug for 2 weeks.
:jschanck, could you have a look please?
If you still have some work to do, you can add an action "Plan Changes" in Phabricator.
For more information, please visit BugBot documentation.

Flags: needinfo?(jschanck)
Flags: needinfo?(dkeeler)
Flags: needinfo?(dkeeler)
Flags: needinfo?(jschanck)
Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/eac81faadaaa disallow WebAuthn when some certificate error overrides are used. r=keeler

https://hg.mozilla.org/mozilla-central/rev/eac81faadaaa

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox140: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 140 Branch

The patch landed in nightly and beta is affected.
:jschanck, is this bug important enough to require an uplift?

For more information, please visit BugBot documentation.

Flags: needinfo?(jschanck)
status-firefox139: affectedwontfix
Flags: needinfo?(jschanck)
QA Whiteboard: [sec] [qa-triage-done-c141/b140]
Flags: qe-verify-
Whiteboard: [adv-main140+]
Attached file advisory.txt (obsolete) —
Attached file advisory.txt
Attachment #9495336 - Attachment is obsolete: true
Alias: CVE-2025-6433
Regressed by: 1977284
No longer regressed by: 1977284
Regressions: 1977284
Regressions: 1975630
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: