Closed
Bug 1988758
Opened 8 months ago
Closed 8 months ago
intent:// can bypass fido:/ URI bock
Categories
(Firefox for Android :: WebAuthn, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1974025
People
(Reporter: utomoa448, Unassigned)
Details
(Keywords: csectype-spoof, reporter-external)
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Steps to reproduce:
The issue is that the original fix was never tested on intent:// URLs. The original fix is a case sensitive check on the intent, it checks for "fido" and not "FIDO". I have attached a html file whit a POC link that will start FIDO activity when clicked. The file also includes links that are blocked and the console output when clicked.
- Open firefox android
- Navigate to a https://kentox493.github.io/browser/fido.html
- Click a test link (URI placeholders such as fido/intent url).
- Observe that the browser triggers a FIDO/WebAuthn authentication prompt.
Actual results:
fido was successfully triggered by bypassing intent with uppercase scheme=FIDO
Expected results:
Fido should not be able to be triggered from a link on a website.
|
Reporter | |
Comment 1•8 months ago
|
||
|
||
Updated•8 months ago
|
Keywords: csectype-spoof,
reporter-external
See Also: → CVE-2026-2800
|
|
||
Comment 2•8 months ago
|
||
This is just bug 1974025, which was fixed in 143. The video shows 142.
Status: UNCONFIRMED → RESOLVED
Closed: 8 months ago
Duplicate of bug: CVE-2025-10530
Resolution: --- → DUPLICATE
|
|
||
Updated•8 months ago
|
See Also: CVE-2026-2800 →
|
||
Updated•1 month ago
|
Group: mobile-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•