Permission denied exception string way too descriptive

RESOLVED FIXED in mozilla2.0b9

Status

()

Core
DOM: Core & HTML
P1
normal
RESOLVED FIXED
7 years ago
6 years ago

People

(Reporter: Attila Magyar, Assigned: bz)

Tracking

({privacy, verified1.9.1, verified1.9.2})

unspecified
mozilla2.0b9
x86
Windows XP
privacy, verified1.9.1, verified1.9.2
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(blocking2.0 final+, status1.9.2 .14-fixed, status1.9.1 .17-fixed)

Details

(Whiteboard: [sg:low privacy], URL)

Attachments

(2 attachments)

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Gecko/20100215 Ubuntu/9.04 (jaunty) Shiretoko/3.5.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

Exception string: "Permission denied for <http://mysite.com> to call method Location.toString on <http://example.com>." The second domain name should not be part the exception text as it may leak information for a possible attacker. When a script is not permitted to read the location property of a window object, the exception should not leak partial information from that property.


Reproducible: Always

Steps to Reproduce:
1. Open a new window: 
var wnd = window.open();
2. Use setInterval() to frequently read wnd.location.href. If any exception occurs, catch it, convert it to string, and extract domain names from it.
Actual Results:  
The above described method allows a site to keep track of which (external) domains does the user visit in newly opened windows or tabs. Combining this with some social engineering (e.g. make the user allow popup windows) and catching keyboard events (e.g. CTRL+T) can lead to unwanted spying on visitors of a website.

Expected Results:  
The "Permission denied" exception should not contain information about the external URL.

The proof of concept demo has been tested with FF 3.5.8 on Ubuntu 9.04 and with FF 3.6 on Windows XP (SP2).
Interesting. This brings back memories of bug 363897. I wonder if we can set up some sort of secret handshake between caps and the error console without leaking the two origins in the message of the actual exception object (since that's the reason that we have the origins in there in the first place).
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:low privacy]
Keywords: privacy
Created attachment 429633 [details]
reporter's testcase
We could stick the "real" error text into a property that untrusted script can't get and revert the default error text to what it used to be before I tried to make jjbarton's life easier...

Or we could just revert that fix, period.  Probably much simpler.
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
status1.9.1: --- → ?
status1.9.2: --- → ?
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---
status1.9.1: ? → wanted
status1.9.2: ? → wanted
Duplicate of this bug: 563804
Duplicate of this bug: 564690

Comment 6

7 years ago
Used in combination with the trick in bug 469939, this is not just a privacy bug. It can also be used to target phising attacks at users.
I think we should attempt to fix this for 1.9.3.
Assignee: nobody → mrbkap
blocking2.0: ? → final+
(Reporter)

Comment 8

7 years ago
FYI there is public information on this kind of attack out there, today I found this article in my Google Reader:

http://pet-portal.eu/?page=blog&topic=pet&view=2010_06_14_Rovid_hir_egy_erdekessegrol_az_XSUH (hungarian)

which is written about the following paper: http://soroush.secproject.com/downloadable/XSUH_FF_1.pdf - this contains a similar method to steal whole URLs or just the domain part when it's not possible.

Btw. am I allowed to publish detailed information about this bug on my (rarely updated and even more rarely visited) blog in the near future?
Duplicate of this bug: 577844
Given the XSUH paper I don't see why you couldn't blog about this. Maybe we should unhide the bug to avoid future duplicates.
Duplicate of this bug: 594537

Updated

7 years ago
Assignee: mrbkap → bzbarsky
OK.  I'm going to fix this by effectively disabling the fixes for bug 434522 and bug 495176 until such a time as we can report different information to the UI and to the web page.
Though it looks like with the proxies+wrappers we basically never get into this code anyway... so those bugs were already backed out for the most part (yay lack of regression testing).
Created attachment 499420 [details] [diff] [review]
Don't show information about the object principal in the error string.
Attachment #499420 - Flags: review?(mrbkap)
Priority: -- → P1
Whiteboard: [sg:low privacy] → [need review][sg:low privacy]

Updated

7 years ago
Attachment #499420 - Flags: review?(mrbkap) → review+
Pushed http://hg.mozilla.org/mozilla-central/rev/7dbd04a58fa0
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Whiteboard: [need review][sg:low privacy] → [sg:low privacy]
Comment on attachment 499420 [details] [diff] [review]
Don't show information about the object principal in the error string.

This applies as-is to both branches.
Attachment #499420 - Flags: approval1.9.2.14?
Attachment #499420 - Flags: approval1.9.1.17?
Target Milestone: --- → mozilla2.0b9

Comment 17

7 years ago
Comment on attachment 499420 [details] [diff] [review]
Don't show information about the object principal in the error string.

a=LegNeato for 1.9.2.14 and 1.9.1.17
Attachment #499420 - Flags: approval1.9.2.14?
Attachment #499420 - Flags: approval1.9.2.14+
Attachment #499420 - Flags: approval1.9.1.17?
Attachment #499420 - Flags: approval1.9.1.17+
Pushed:
  http://hg.mozilla.org/releases/mozilla-1.9.2/rev/4de0968e31a1
  http://hg.mozilla.org/releases/mozilla-1.9.1/rev/cb4fb4d7e086
status1.9.1: wanted → .17-fixed
status1.9.2: wanted → .14-fixed
This caused permanent orange in mochitest on all platforms on 1.9.2: 107291 ERROR TEST-UNEXPECTED-FAIL | /tests/modules/plugin/test/test_pluginstream_newstream.html | exception Permission denied for <http://localhost:8888> to get property HTMLDocument.body thrown
Yeah, that test is bogus....  I pushed http://hg.mozilla.org/releases/mozilla-1.9.2/rev/6697a04d3f87 to fix the bogosity (which is just an exact copy of the changeset that fixed said bogosity on trunk back when compartments landed).
And then http://hg.mozilla.org/releases/mozilla-1.9.2/rev/7f6049187692 because the message format from the security manager isn't the same as what the security wrappers produce.  Why the wrappers decided to use different strings, I have no idea.  :(
Verified fixed in 1.9.2 using attached testcase with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14pre) Gecko/20110103 Namoroka/3.6.14pre. Verified bad behavior in 1.9.2.13. 

Verified for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.17pre) Gecko/20110106 Shiretoko/3.5.17pre and verified bad behavior in 1.9.1.16.
Keywords: verified1.9.1, verified1.9.2
Group: core-security
You need to log in before you can comment on or make changes to this bug.