CVE-2019-17004—Semi Universal XSS affecting Firefox for iOS

栏目: IT技术 · 发布时间: 4年前

内容简介:March 30th, 2020There is a kind of security flaws in Web browsers and extensions that can enable an attacker to bypass the same-origin policychecks and take over your online activity by simply having you visit a web page; allowing accessing your bank accou

March 30th, 2020

There is a kind of security flaws in Web browsers and extensions that can enable an attacker to bypass the same-origin policychecks and take over your online activity by simply having you visit a web page; allowing accessing your bank account, learning about your search queries on Google, your emails, your messages on Facebook, etc. It can even enable the attacker to impersonate you and perform actions on your behalf. These flaws are called: Universal Cross-Site Scripting .

In October 2019, we discovered such a security flaw in Firefox for iOS, which allowed malicious actors to execute JavaScript on arbitrary origins.

CVE-2019-17004—Semi Universal XSS affecting Firefox for iOS

Cliqz browsers are based on Firefox , and from time to time we conduct security and privacy audits of upstream projects, other browsers and our own products across platforms. These audits allowed us to discover some critical issues in the past.

In November last year, the Cliqz browser for iOS was undergoing a complete overhaul. While auditing the app for security issues during its development phase, we discovered a Universal Cross-Site Scripting (UXSS) vulnerability.

We tested the production version of Firefox (Version 19.1 - 16203) and realized that it had the same vulnerability, therefore we reported the issue via the Client Security Bug Bounty Program to Mozilla. At that time we tested a few other popular browsers on iOS and none of them had this issue. Some of them, like Safari, were even explicit in their error reporting :)

CVE-2019-17004—Semi Universal XSS affecting Firefox for iOS

However, in January this year, when we were about to publish our findings, we did our due diligence and performed a sanity check on popular iOS browsers again. We found that this time Brave for iOS suffered from the same security issue. After reporting the issue to Brave, they promptly fixed it, but we wanted to wait for a few more months before publishing the details about this security issue to give users time to update to the latest version.

The Attack

Location
CVE-2019-17004—Semi Universal XSS affecting Firefox for iOS
  • Because of a bug in the browser, an attacker is able to execute JavaScript in the context of the previously visited website (i.e. google.com in this case) by returning a redirect to javascript: doEvil ,
CVE-2019-17004—Semi Universal XSS affecting Firefox for iOS

Being able to execute JavaScript on a different origin, opens a wide range of attacks. For example, not only can the attacker read sensitive data like cookies or the URL from webpages. They can also return JavaScript which performs API requests to retrieve information such as the last 10 queries that the user has submitted on google.com.

CVE-2019-17004—Semi Universal XSS affecting Firefox for iOS
CVE-2019-17004—Semi Universal XSS affecting Firefox for iOS

It is important to note that this issue only classifies as semi-UXSS because attackers cannot steal data from any website of their choice, but are limited to the last visited domain. For example, in the above case, if the attacker returns a JavaScript code in location header, that tries to steal data or execute actions on https://meine.deutsche-bank.de/trxm/db/ , the attack will only work as long as the last website visited in that tab was https://meine.deutsche-bank.de/ .

However, even given the above limitations the attacker can curate special links and lure the users into opening these malicious links by sharing them on social media, chat platforms, etc. If the user clicks on such links on these websites, the attacker can now try and exfiltrate sensitive user data from the website where the link was clicked from.

Given the impact of the vulnerability, the fact that it was present in production versions and was easily exploitable, Mozilla classified this bug as sec-critical.

Cause

The issue here was that Firefox for iOS had insufficient checks to block JavaScript from being executed when returned via Location response header. This bug originated from the bookmarklets functionalityadded in Firefox for iOS. In order to fix this security issue, Firefox decided to remove this functionality altogether from the browser.

Timeline


以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

一网打尽

一网打尽

[美]布拉德·斯通 / 李晶、李静 / 中信出版社 / 2014-1-15 / 49.00元

亚马逊最早起步于通过邮购来经营图书业务。但贝佐斯却不满足于仅做一名书商,他希望缔造亚马逊万货商店的神话——能提供海量的货源,并以超低的价格提供最具吸引力的便捷服务。为了实现这一诺言,他发展了一种企业文化,这种文化蕴含着执着的雄心与难以破解 的秘诀。亚马逊的这 一文化现在依旧在发扬光大。 布拉德·斯通非常幸运地得到采访亚马逊的前任和现任高管、员工以及贝佐斯本人、家人的机会,使我们第一次有机会深......一起来看看 《一网打尽》 这本书的介绍吧!

在线进制转换器
在线进制转换器

各进制数互转换器

MD5 加密
MD5 加密

MD5 加密工具

正则表达式在线测试
正则表达式在线测试

正则表达式在线测试