Closed Bug 1970209 (CVE-2025-8043) Opened 5 months ago Closed 4 months ago

Domain highlighting and alignment is disabled Firefox Focus

Categories

(Focus :: General, defect)

Product:
Focus
Component:
General
Version:
Firefox 139
Platform:
All
Android
Type:
defect

Tracking

(firefox141 verified)

Status:
VERIFIED FIXED
Milestone:
141 Branch
Tracking Flags:
Tracking Status
firefox141 --- verified

People

(Reporter: alayersattackers, Assigned: michel)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [adv-main141+])

Attachments

(5 files)

firefox-focus.jpg
84.94 KB, image/jpeg
Details
firefox-focus2.jpg
44.16 KB, image/jpeg
Details
Bug 1970209 - Enable domain highlighting in Focus toolbar. r=petru
48 bytes, text/x-phabricator-request
Details | Review
1970209.jpg
845.62 KB, image/jpeg
Details
advisory.txt
128 bytes, text/plain
Details
Attached image firefox-focus.jpg

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36

Steps to reproduce:

Product:
Mozilla Firefox Focus

Version:
139.0 (Build #391432055) (as shown in the provided image, tested on 2025-05-23 build)

Vulnerability Type:
User Interface Security – URL Spoofing via Long Subdomain Truncation

Vulnerability Description:
Mozilla Firefox Focus for Android version 139.0 has a user interface vulnerability in how it displays URLs in the address bar when visiting sites with very long subdomains.
When the subdomain is excessively long, the browser address bar fails to show the main domain (eTLD+1) and instead displays only the beginning of the subdomain. For example:

https://long-extended-subdomain-name...

This causes the actual domain name (e.g., badssl.com) to be hidden from the user’s view, which is critical for verifying the true source of the website.
This behavior can be exploited by attackers to visually disguise the real domain, making it difficult for users to recognize the actual website they are visiting.

Steps to Reproduce:

  1. Install Mozilla Firefox Focus for Android (version 139.0, Build #391432055).
  2. Visit the following URL:
    https://long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com/
  3. Observe the address bar.
  4. The browser only shows the initial part of the subdomain, and the main domain (badssl.com) is not visible.
  5. Users cannot easily identify the actual domain being accessed.

Potential Impact:

  • Users may mistakenly trust a site based on a misleading address bar.
  • Malicious actors can mask the real domain using long subdomains.
  • This undermines user confidence in the browser’s ability to clearly convey website identity.

Severity:
High
This vulnerability affects a core security indicator in the browser’s user interface — the address bar. Since users rely on the displayed domain to verify site authenticity, hiding the main domain poses a significant security risk.
A similar issue was recognized by the Chromium team as P1 priority and S2 severity, with a $3,000 bounty, underscoring the importance of this issue:

Chromium reference:
https://issues.chromium.org/issues/395544225

Recommendation:

  • Change the truncation logic to always preserve visibility of the main domain (eTLD+1).
  • If truncation is necessary, shorten the beginning of the subdomain instead of the main domain.
  • Consider providing an expanded or detailed view on tap/hover for mobile users when the full domain is truncated.

Actual results:

Actual Behavior:
Firefox Focus truncates the URL and only shows the beginning of the subdomain, hiding the main domain. This misrepresentation can mislead users about the website’s true origin.

Expected results:

Expected Behavior:
The browser should always display the main domain (eTLD+1) clearly and fully in the address bar, regardless of subdomain length. This helps users understand the actual website they are visiting.

Attached image firefox-focus2.jpg

screenshot poc

Status: UNCONFIRMED → RESOLVED
Closed: 5 months ago
Duplicate of bug: 1731181
Product: Firefox for Android → Focus
Resolution: --- → DUPLICATE
Group: mobile-core-security

I don't believe that this is a duplicate of bug 1731181. The other one is much broader.

Blocks: 1731181
Status: RESOLVED → REOPENED
No longer duplicate of bug: 1731181
Ever confirmed: true
Resolution: DUPLICATE → ---
Assignee: nobody → michel
Summary: URL Spoofing Vulnerability in Mozilla Firefox Focus for Android (Version 139.0) → Domain highlighting and alignment is disabled Firefox Focus
See Also: → 1812898

To me this also seems like a variant of bug 1731181 which is a duplicate of https://github.com/mozilla-mobile/fenix/issues/6762 that we didn't get to fix for Focus.

The revision was accepted, but the Testing Policy tag is missing. Is there anything that I need to do?

Flags: needinfo?(petru)

Think this can be landed but since Mihai approved the patch will defer to them for finishing the process.

Flags: needinfo?(petru) → needinfo?(mcarare)
Flags: needinfo?(mcarare)

https://hg.mozilla.org/mozilla-central/rev/64d8dfa544cb

Status: REOPENED → RESOLVED
Closed: 5 months ago4 months ago
status-firefox141: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 141 Branch
Flags: qe-verify+

Setting qe-verify+ given that https://phabricator.services.mozilla.com/D252491#8744829 stated it will require manual QA.

See Also: → CVE-2025-9186
Attached image 1970209.jpg

Verified as implemented on the latest Firefox Focus for Android Nightly 141.0a1 from 6/12 with a Google Pixel 6 (Android 15), and an Oppo Find N2 Flip (Android 15).

Status: RESOLVED → VERIFIED
status-firefox141: fixedverified
Flags: qe-verify+
Duplicate of this bug: 1972097

sec-low spoofing bugs are not eligible for the bug bounty.

Flags: sec-bounty-
Whiteboard: [adv-main141+]
Alias: CVE-2025-8043
Flags: sec-bounty-hof+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: