intent:// can bypass fido:/ URI block
Categories
(Firefox for Android :: WebAuthn, defect, P2)
Tracking
()
People
(Reporter: sas.kunz, Assigned: m_kato)
References
Details
(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [client-bounty-form][fxdroid][adv-main143+][group7])
Attachments
(5 files)
the vulnerability is same as
https://bugzilla.mozilla.org/show_bug.cgi?id=1922357
https://issues.chromium.org/issues/401823929
the original fix is a case sensitive check on the intent, it checks for "fido" and not "FIDO".
POC link that will start FIDO activity when clicked. The file also includes links that are blocked and the console output when clicked.
The fix seams to be fairly straight forward. Use a case insensitive match.
- open http://thundering-unruly-windflower.glitch.me/fido.html
2, click on intent://123456...#Intent;scheme=FIDO;end link
|
||
Updated•11 months ago
|
|
|
||
Comment 1•11 months ago
|
||
I do see what looks like a few tests for FIDO:/ so I'm not sure why that doesn't catch a problem here.
|
||
Updated•11 months ago
|
|
||
Comment 5•11 months ago
|
||
Looks more like we're returning getSafeIntent(aUri) before we check whether the scheme is fido:, rather than it being a case-sensitive comparison. If the URL is not normalized to a lowercase scheme by the time we're doing those checks then FIDO isn't the only scheme that could have a problem!
|
|
||
Comment 6•11 months ago
|
||
Gela: Looks like jboek hasn't active on bugzilla for a while. Can you find an appropriate person to handle this one?
|
|
||
Updated•11 months ago
|
|
||
Comment 7•11 months ago
|
||
@m_kato, since you are familiar with the Android FIDO code, can you take a look at this? Thanks.
|
||
Comment 8•10 months ago
|
||
The severity field is not set for this bug.
:boek, could you have a look please?
For more information, please visit BugBot documentation.
I've reached out to Makoto directly in case this got lost in the Bugzilla notifications :)
|
Assignee | |
Comment 11•10 months ago
|
||
I guess that we need to check Intent.getData().getScheme()
|
|
Assignee | |
Comment 12•10 months ago
|
||
|
|
Assignee | |
Comment 13•10 months ago
|
||
|
|
Assignee | |
Updated•10 months ago
|
|
|
||
Comment 14•10 months ago
|
||
The severity field is not set for this bug.
:boek, could you have a look please?
For more information, please visit BugBot documentation.
|
||
Updated•10 months ago
|
|
||
Updated•10 months ago
|
|
|
Assignee | |
Updated•9 months ago
|
|
|
Assignee | |
Comment 15•9 months ago
|
||
Comment on attachment 9499992 [details]
(secure)
Security Approval Request
- How easily could an exploit be constructed based on the patch?: When clicking a link that is fido: scheme, content can hijacking fido2 authentication. This has fixed by bug bug 1922357, but we have to consider intent URI that has fido scheme. This occurs same issue if using intent scheme with internal fido scheme.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: yes
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?: Nothing. we block intent uri with fido scheme. It isn't usual.
- Is the patch ready to land after security approval is given?: Yes
- Is Android affected?: Yes
|
|
Assignee | |
Comment 16•9 months ago
|
||
Comment on attachment 9499992 [details]
(secure)
Security Approval Request
- How easily could an exploit be constructed based on the patch?: When clicking a link that is fido: scheme, content can hijacking fido2 authentication. This has fixed by bug bug 1922357, but we have to consider intent URI that has fido scheme. This occurs same issue if using intent scheme with internal fido scheme.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: yes
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?: Nothing. we block intent uri with fido scheme. It isn't usual.
- Is the patch ready to land after security approval is given?: Yes
- Is Android affected?: Yes
|
||
Updated•9 months ago
|
|
|
||
Comment 17•9 months ago
|
||
Comment on attachment 9499992 [details]
(secure)
sec-moderates don't need approval to land, please go ahead and do so and add a Beta uplift request when you're comfortable doing so.
|
||
Comment 18•9 months ago
|
||
|
||
Comment 19•9 months ago
|
||
|
|
Assignee | |
Comment 20•9 months ago
|
||
Comment on attachment 9499992 [details]
(secure)
Beta/Release Uplift Approval Request
- User impact if declined/Reason for urgency: When clicking a link that is fido: scheme, content can hijacking fido2 authentication. This has fixed by bug bug 1922357, but we have to consider intent URI that has fido scheme. This occurs same issue if using intent scheme with internal fido scheme.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Low. fido: scheme is already disallowed.
- String changes made/needed: No
- Is Android affected?: Yes
|
|
Assignee | |
Comment 21•9 months ago
|
||
Comment on attachment 9499992 [details]
(secure)
Beta/Release Uplift Approval Request
- User impact if declined/Reason for urgency: When clicking a link that is fido: scheme, content can hijacking fido2 authentication. This has fixed by bug bug 1922357, but we have to consider intent URI that has fido scheme. This occurs same issue if using intent scheme with internal fido scheme.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Low. fido: scheme is already disallowed.
- String changes made/needed: No
- Is Android affected?: Yes
|
|
||
Comment 22•9 months ago
|
||
Comment on attachment 9499992 [details]
(secure)
Approved for 143.0b8.
|
|
||
Updated•9 months ago
|
|
|
||
Comment 23•9 months ago
|
||
| uplift | ||
|
|
||
Updated•9 months ago
|
|
Reporter | |
Comment 24•9 months ago
|
||
thank you.
if this bug gets a cve can the credit be given to:
hafiizh (https://www.linkedin.com/in/hafiizh-7aa6bb31) & kang ali (https://www.linkedin.com/in/mohammad-ali-syarief)?
|
||
Comment 25•9 months ago
|
||
Yes (although CVE reporter fields don't include links)
|
||
Updated•8 months ago
|
|
|
||
Comment 26•8 months ago
|
||
|
|
||
Updated•8 months ago
|
|
|
||
Updated•8 months ago
|
|
|
||
Updated•8 months ago
|
|
|
||
Updated•8 months ago
|
|
|
||
Updated•1 month ago
|
|
||
Updated•1 month ago
|
|
||
Updated•1 month ago
|
|
|
||
Comment 29•1 month ago
|
||
|
||
Comment 30•1 month ago
|
||
| bugherder | ||
Description
•