What is Nostr?
Erik van Straten /
npub1yzf…l3r7
2024-09-22 13:40:48

Erik van Straten on Nostr: Firefox iOS vulnerability Nearly three months ago I reported a vulnerability in ...

Firefox iOS vulnerability

Nearly three months ago I reported a vulnerability in Firefox for iOS to Mozilla (https://bugzilla.mozilla.org/show_bug.cgi?id=1904885) - it remains unfixed while my "bumps" do not seem to wake anyone up (yes that's frustrating - and I encounter that everywhere).

🔹 VULNERABILITY
The vulnerability appears to be that if Firefox is opened with an http link "on the command line", while the last page open was using https, it gets confused and erroneously shows a https padlock for an http website.

🔹CONDITIONS TO REPRODUCE
It's easy to reproduce, provided that:

• Firefox is configured as your default browser (on iOS or iPadOS)

• You use an app to read emails that is not webbased (Apple's mail app works fine).

🔹 REPRODUCE VIA MAIL
One way to te reproduce is to send yourself a ("phishing") email with the following instructions:

«
1) Tap bleepingcomputer.com to open it;

2) For security reasons (XSS attacks etc.), now close Firefox (make sure to swipe its window off screen);

3) Tap example.com to open it.
»

(Instead of example.com you can use any website that does not automatically forward your browser to an https connection to the website, such as http://http.badssl.com).

🔹 SYMPTOMS
Firefox for iOS now reopens, shows "example.com/" in the address bar *and* a padlock icon indicating an https connection.

However, it is NOT using an https connection, but http. The padlock is not trustworthy.

🔹 PICS OR IT AINT SO
See the screenshots below: the second one is after tapping the padlock icon (or tap in the address bar to see the -selected- URL start with http://).

🔹 FULL POC
Since it's not yet 90 days ago (but rather 88) I'll wait a bit with publishing a full phishing PoC.

npub1smvt66z9w0muq5pa0ws7qg3heg83eyhqj4qgx5m0kzh2l9k0nfzsem399s (npub1smv…399s)

#FirefoxIOS #Vulnerability #Mozilla #Bugzilla #FullDisclosure #Padlock #httpvshttps #Phishing #PhishingRisk



Author Public Key
npub1yzfshvmugq4nd4jhwve7hhwqzvvt7g9g23sharz5f5wdvg65r92qhql3r7