Last Comment Bug 549459 - Permission denied exception string way too descriptive
: Permission denied exception string way too descriptive
Status: RESOLVED FIXED
[sg:low privacy]
: privacy, verified1.9.1, verified1.9.2
Product: Core
Classification: Components
Component: DOM: Core & HTML (show other bugs)
: unspecified
: x86 Windows XP
: P1 normal (vote)
: mozilla2.0b9
Assigned To: Boris Zbarsky [:bz]
:
Mentors:
http://stfw.hu/demos/steal_browsing_h...
: 563804 564690 577844 594537 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-03-01 14:59 PST by Attila Magyar
Modified: 2011-02-02 16:14 PST (History)
16 users (show)
bzbarsky: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
final+
.14-fixed
.17-fixed


Attachments
reporter's testcase (2.94 KB, text/html)
2010-03-01 17:14 PST, Daniel Veditz [:dveditz]
no flags Details
Don't show information about the object principal in the error string. (1.47 KB, patch)
2010-12-22 16:13 PST, Boris Zbarsky [:bz]
mrbkap: review+
christian: approval1.9.2.14+
christian: approval1.9.1.17+
Details | Diff | Review

Description Attila Magyar 2010-03-01 14:59:05 PST
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Gecko/20100215 Ubuntu/9.04 (jaunty) Shiretoko/3.5.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

Exception string: "Permission denied for <http://mysite.com> to call method Location.toString on <http://example.com>." The second domain name should not be part the exception text as it may leak information for a possible attacker. When a script is not permitted to read the location property of a window object, the exception should not leak partial information from that property.


Reproducible: Always

Steps to Reproduce:
1. Open a new window: 
var wnd = window.open();
2. Use setInterval() to frequently read wnd.location.href. If any exception occurs, catch it, convert it to string, and extract domain names from it.
Actual Results:  
The above described method allows a site to keep track of which (external) domains does the user visit in newly opened windows or tabs. Combining this with some social engineering (e.g. make the user allow popup windows) and catching keyboard events (e.g. CTRL+T) can lead to unwanted spying on visitors of a website.

Expected Results:  
The "Permission denied" exception should not contain information about the external URL.

The proof of concept demo has been tested with FF 3.5.8 on Ubuntu 9.04 and with FF 3.6 on Windows XP (SP2).
Comment 1 Blake Kaplan (:mrbkap) (please use needinfo!) 2010-03-01 15:28:37 PST
Interesting. This brings back memories of bug 363897. I wonder if we can set up some sort of secret handshake between caps and the error console without leaking the two origins in the message of the actual exception object (since that's the reason that we have the origins in there in the first place).
Comment 2 Daniel Veditz [:dveditz] 2010-03-01 17:14:43 PST
Created attachment 429633 [details]
reporter's testcase
Comment 3 Boris Zbarsky [:bz] 2010-03-01 19:20:36 PST
We could stick the "real" error text into a property that untrusted script can't get and revert the default error text to what it used to be before I tried to make jjbarton's life easier...

Or we could just revert that fix, period.  Probably much simpler.
Comment 4 Boris Zbarsky [:bz] 2010-05-04 15:12:31 PDT
*** Bug 563804 has been marked as a duplicate of this bug. ***
Comment 5 Daniel Veditz [:dveditz] 2010-05-09 16:39:12 PDT
*** Bug 564690 has been marked as a duplicate of this bug. ***
Comment 6 Paul Stone 2010-05-10 01:38:49 PDT
Used in combination with the trick in bug 469939, this is not just a privacy bug. It can also be used to target phising attacks at users.
Comment 7 Johnny Stenback (:jst, jst@mozilla.com) 2010-05-19 15:44:06 PDT
I think we should attempt to fix this for 1.9.3.
Comment 8 Attila Magyar 2010-06-15 10:52:18 PDT
FYI there is public information on this kind of attack out there, today I found this article in my Google Reader:

http://pet-portal.eu/?page=blog&topic=pet&view=2010_06_14_Rovid_hir_egy_erdekessegrol_az_XSUH (hungarian)

which is written about the following paper: http://soroush.secproject.com/downloadable/XSUH_FF_1.pdf - this contains a similar method to steal whole URLs or just the domain part when it's not possible.

Btw. am I allowed to publish detailed information about this bug on my (rarely updated and even more rarely visited) blog in the near future?
Comment 9 Boris Zbarsky [:bz] 2010-07-10 12:43:40 PDT
*** Bug 577844 has been marked as a duplicate of this bug. ***
Comment 10 Daniel Veditz [:dveditz] 2010-07-11 21:48:02 PDT
Given the XSUH paper I don't see why you couldn't blog about this. Maybe we should unhide the bug to avoid future duplicates.
Comment 11 Boris Zbarsky [:bz] 2010-09-17 12:29:33 PDT
*** Bug 594537 has been marked as a duplicate of this bug. ***
Comment 12 Boris Zbarsky [:bz] 2010-12-22 16:01:44 PST
OK.  I'm going to fix this by effectively disabling the fixes for bug 434522 and bug 495176 until such a time as we can report different information to the UI and to the web page.
Comment 13 Boris Zbarsky [:bz] 2010-12-22 16:08:16 PST
Though it looks like with the proxies+wrappers we basically never get into this code anyway... so those bugs were already backed out for the most part (yay lack of regression testing).
Comment 14 Boris Zbarsky [:bz] 2010-12-22 16:13:25 PST
Created attachment 499420 [details] [diff] [review]
Don't show information about the object principal in the error string.
Comment 15 Boris Zbarsky [:bz] 2010-12-22 16:57:16 PST
Pushed http://hg.mozilla.org/mozilla-central/rev/7dbd04a58fa0
Comment 16 Boris Zbarsky [:bz] 2010-12-22 16:57:48 PST
Comment on attachment 499420 [details] [diff] [review]
Don't show information about the object principal in the error string.

This applies as-is to both branches.
Comment 17 christian 2010-12-27 10:33:18 PST
Comment on attachment 499420 [details] [diff] [review]
Don't show information about the object principal in the error string.

a=LegNeato for 1.9.2.14 and 1.9.1.17
Comment 19 Ben Hearsum (:bhearsum) 2010-12-30 11:56:06 PST
This caused permanent orange in mochitest on all platforms on 1.9.2: 107291 ERROR TEST-UNEXPECTED-FAIL | /tests/modules/plugin/test/test_pluginstream_newstream.html | exception Permission denied for <http://localhost:8888> to get property HTMLDocument.body thrown
Comment 20 Boris Zbarsky [:bz] 2010-12-30 14:53:11 PST
Yeah, that test is bogus....  I pushed http://hg.mozilla.org/releases/mozilla-1.9.2/rev/6697a04d3f87 to fix the bogosity (which is just an exact copy of the changeset that fixed said bogosity on trunk back when compartments landed).
Comment 21 Boris Zbarsky [:bz] 2010-12-30 18:32:10 PST
And then http://hg.mozilla.org/releases/mozilla-1.9.2/rev/7f6049187692 because the message format from the security manager isn't the same as what the security wrappers produce.  Why the wrappers decided to use different strings, I have no idea.  :(
Comment 22 Al Billings [:abillings] 2011-01-06 12:09:19 PST
Verified fixed in 1.9.2 using attached testcase with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14pre) Gecko/20110103 Namoroka/3.6.14pre. Verified bad behavior in 1.9.2.13. 

Verified for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.17pre) Gecko/20110106 Shiretoko/3.5.17pre and verified bad behavior in 1.9.1.16.

Note You need to log in before you can comment on or make changes to this bug.