Closed
Bug 916583
Opened 11 years ago
Closed 11 years ago
[SECURITY] Remote address book spam
Categories
(Firefox for Android Graveyard :: Download Manager, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 690252
People
(Reporter: deax0u, Unassigned)
Details
Attachments
(2 files)
Hello, I want to report a firefox android bug I've found. It's possible to fill the address book with a special http response. I've attached a python script to generate a .vcf file with junk contacts. If this file is served as text/x-vcard it will trigger a download and automatically import this file into the address book. I've tested this on android 4.0.4. There is no android security component, so I've filed it here. I don't have any experience in writing such reports so I hope it's OK. Please feel free to contact me for further information.
Updated•11 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: sec-bounty?
Comment 2•11 years ago
|
||
bug 690252 should fix this. Will attach a test file.
Comment 3•11 years ago
|
||
Comment 4•11 years ago
|
||
Tested and verified that this is a duplicate of 690252
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Updated•11 years ago
|
Flags: sec-bounty? → sec-bounty-
Are there any further news? I guess I didn't qualify for the T-shirt, right? Also, this is quite embarrassing but my mailbox expired. If you've sent any mails I didn't get them. Please excuse me if you've been waiting for a reply somewhere. I'm not able to open bug 690252 but I would appreciate some information about it, like the report date or a short summary of the issue described in the bug. I don't know if your policy allows that, though. Thanks in advance.
Comment 6•11 years ago
|
||
This bug was already fixed by disabling the auto launch of all files. Which is the fix for bug 690252. The fix landed in our integration tree on Sept 12th and was in our Nightly builds on Sept 13th or 14th. Since your bug was already fixed by the bug mentioned we closed it out as a duplicate.
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
Updated•3 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•