Slide 1

Slide 1 text

SWIFT Code for Mozilla Bank Code Vulnerability Analysis of Firefox for iOS 2016.10.22 at AVTOKYO 2016 Fox-keh (C) 2006 Mozilla Japan

Slide 2

Slide 2 text

Senior security engineer at Recruit Technologies Co., Ltd. Application track leader at Security Camp 2016 Weekend bug hunter MUNEAKI NISHIMURA - nishimunea

Slide 3

Slide 3 text

Firefox for iOS

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

Apple’s WKWebView for rendering web contents

Slide 6

Slide 6 text

User interface written in Swift by Mozilla

Slide 7

Slide 7 text

In Scope of Mozilla Bug Bounty Program but security bugs of WKWebView are ineligible

Slide 8

Slide 8 text

I Found 11 Bugs & Received $22,000 Bug 1224529 Bug 1267019 Bug 1290732 Bug 1224906 Bug 1278053 Bug 1290760 Bug 1224910 Bug 1279787 Bug 1293931 Bug 1258188 Bug 1290714

Slide 9

Slide 9 text

• Source code of Firefox for iOS is on GitHub https://github.com/mozilla/firefox-ios • I discovered almost all the bugs using keyword searches in the source code (during commute)

Slide 10

Slide 10 text

2 Keywords used to find a bug • messageHandlers • registerHandlerForMethod

Slide 11

Slide 11 text

messageHandlers Fox-keh (C) 2006 Mozilla Japan

Slide 12

Slide 12 text

WKWebView Script Messages Do something Script Messages A feature of WKWebView to invoke registered Swift handlers from JavaScript

Slide 13

Slide 13 text

https://github.com/mozilla/firefox-ios/blob/Firefox-v5.2b1/Client/Assets/PrintHelper.js window.print = function() { webkit.messageHandlers.printHandler.postMessage({}) }; Example JS’s window.print function of Firefox for iOS uses Script Messages as follows

Slide 14

Slide 14 text

https://github.com/mozilla/firefox-ios/blob/Firefox-v5.2b1/Client/Assets/PrintHelper.js window.print = function() { webkit.messageHandlers.printHandler.postMessage({}) }; Invoke printing function in Swift Example JS’s window.print function of Firefox for iOS uses Script Messages as follows

Slide 15

Slide 15 text

https://github.com/mozilla/firefox-ios/blob/Firefox-v5.2b1/Client/Assets/PrintHelper.js window.print = function() { webkit.messageHandlers.printHandler.postMessage({}) }; Similar handlers can be found by searching “messageHandlers” Example JS’s window.print function of Firefox for iOS uses Script Messages as follows

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

Accounts Command Handler

Slide 18

Slide 18 text

Handler is used here for registering user credentials to browser UI Accounts Command Handler Used in Firefox Sync sign in for communicating with WKWebView

Slide 19

Slide 19 text

• The handler is available only in special WKWebView for sign in, there is no address bar and all resources are https: • However, the handler has no check for caller’s origin • Is it secure or not…?

Slide 20

Slide 20 text

Accounts command handler can be called from any origin Bug 1293931 Fox-keh (C) 2006 Mozilla Japan

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

http://creativecommons.org

Slide 29

Slide 29 text

Yep, Attacker Can Inject Her Firefox Account if she can alter Creative Commons website in some way (e.g., MITM) https://bugzilla.mozilla.org/show_bug.cgi?id=1293931

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

registerHandlerForMethod Fox-keh (C) 2006 Mozilla Japan

Slide 32

Slide 32 text

• Firefox for iOS runs a local web server while in foreground • Browser internal pages are published from the server, e.g., certificate warning page • Firefox associates browser features with URL path names by registerHandlerForMethod in WebServer class

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

Reader Mode

Slide 35

Slide 35 text

Reader Mode Make a page layout more reader-friendly

Slide 36

Slide 36 text

http://localhost:6571/reader-mode/page? url=https://blog.mozilla.org/security • Readerized contents are published from the local server • Address bar displays original URL but the real URL is below Original URL is in a query string

Slide 37

Slide 37 text

Reader Mode leaks sensitive HTTPS URLs through referer header Bug 1290732 Fox-keh (C) 2006 Mozilla Japan

Slide 38

Slide 38 text

• GitHub’s Gists supports secret mode • Not private, discoverable if the URL is known • Gists uses Referrer-Policy in a meta tag to prevent unintentional URL leakage

Slide 39

Slide 39 text

• Reader mode strips all meta tags and a page is sent through http: channel • Finally, Gist’s secret URLs are leaked via HTTP Referer http://localhost:6571/reader-mode/page? url=https://gist.github.com/nishimunea/ 899da90df5b169a80df39e73fec89e87 Secret Gist URL https://bugzilla.mozilla.org/show_bug.cgi?id=1290732

Slide 40

Slide 40 text

No content

Slide 41

Slide 41 text

• Readerized pages are in the same localhost origin regardless of its real origin • If there were XSS on the local server, arbitrary page data could be stolen from Reader Mode URL • The question is where is XSS on localhost

Slide 42

Slide 42 text

XSS Was Also in a Reader Mode URL http://localhost:6571/reader-mode/page?url=javascript:alert(1) XSS was here

Slide 43

Slide 43 text

public var isLocal: Bool { return host?.lowercaseString == "localhost" || host == "127.0.0.1" || host == "::1" } private extension WKNavigationAction { private var isAllowed: Bool { return !(request.URL?.isLocal ?? false) Localhost Navigation Has Been Blocked Since 4.0 so XSS on Reader Mode has not been exploitable directly from a web page Blocked if host is “localhost”, 127.0.0.1, or ::1 https://github.com/mozilla-mobile/firefox-ios/commit/78df359fd64aa7fc98bb2e1e7f65863c434fd3bb

Slide 44

Slide 44 text

Steal cross origin DOM data with bypassing localhost navigation blocking Bug 1279787 Fox-keh (C) 2006 Mozilla Japan

Slide 45

Slide 45 text

Hostname Blacklisting Was Insufficient still exploitable the XSS through http://0x7f000001:6571/

Slide 46

Slide 46 text

XSS is triggered from here

Slide 47

Slide 47 text

Load target readerized page (github.com/notifications) in an iframe

Slide 48

Slide 48 text

Steal the DOM contents from the parent window

Slide 49

Slide 49 text

No content

Slide 50

Slide 50 text

2 Keywords used to find a bug • messageHandlers • registerHandlerForMethod

Slide 51

Slide 51 text

Thank you Fox-keh (C) 2006 Mozilla Japan