Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 25 Oct 2015 12:01:47 -0600
From: "Mohamed A. Baset" <symbian2010@...il.com>
To: secalert@...hat.com, oss-security@...ts.openwall.com
Subject: CVE Request regarding Firefox FindMyDevice Service Critical ClickJacking

Vulnerability Title:
Firefox FindMyDevice Service Critical ClickJacking

Author Name
Mohamed Abdelbasset Elnouby Abouelwaffa

Contact Details:
https://twitter.com/SymbianSyMoh
https://mx.linkedin.com/in/SymbianSyMoh

Report Date:
2014-11-15 11:54:12 PST

Report Status:
Fixed / 2015-03-23 13:23:19 PDT

Vulnerability Type:
ClickJacking

Info:
https://www.owasp.org/index.php/Clickjacking

Affected URL(s):
https://find.firefox.com

PoC Screenshot:
Included as an attachment
For non email receptionist "https://goo.gl/FUkFVm"

In-depth analysis of the Vulnerability:
Regardless The security protection mechanism which is that that attacker
definitely can't guess or brute force the Device id
"8fcXXXXc40de04b3803945XXXXXXXXXX" which is a part of the URL to the
victim's profile to make a successful clickjacking attack iframe, in fact
this protection mechanism is too low coz all the attacker to do is just to
point the logged in user to his iframe source https://find.firefox.com and
Mozilla will care about the rest "redirect the victim to the correct logged
in active device id.

What attacker can do:
1-"Erase the victim's device data" With just only 3 clicks by the victim
himself if he tricked with "click here to win a 50 BTC for Example
2-"Lock The victim device or change his lock code" if it is the first time
to be set "4 clicks"
3-"Makes the Device ringing" 2 clicks"

Expected results:
Find My Device web interface mustn't be iframed Apply XFO or Frame Busting
techniques

More Details About clickjacking:
Because of No Frame Busting Techniques or X-Frame-Options header, the whole
website is vulnerable to Clickjacking attacks which could lead to a full
account takeover considering such scenario:
1. Attacker will iframe any sensitive the website page and adjust the
iframe size and add a "divs" as a layers on the unwanted-to-show parts of
the original web page to fool and trick the user.
2. User get tricked by the crafted page and followed the attacker's
instruction to do a specific clicks to the iframed page
3. Unwanted actions happened in the logged in user's session in result to
the attack's clicks.

Remedy:
1- Add an X-Frame-Options HTTP Header and set it's value to "Deny" or
"Sameorigin" as you can see it suitable to mitigate such attacks
2- Use iframe busting techmiques in JS code like this:

<script type="text/javascript">
 if (self === top) {
 var antiClickjack = document.getElementById("antiClickjack");
 antiClickjack.parentNode.removeChild(antiClickjack);
 } else {
 top.location = 'Your_Website_URL_Here';
 }
</script>

or

<script type="text/javascript">
 // Disable frame hijacking
 if (top != self)
 top.location.href = location.href;
 </script>

Actual results:
Find My Device web interface is iframable which makes it vulnerable to
ClickJacking Attacks

References:
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
Original Report: https://bugzilla.mozilla.org/show_bug.cgi?id=1100004

Thanks​


*Mohamed Abdelbaset Elnoby*Guru Programmer, Senior Information Security
Consultant & Web Application Penetration Tester at Seekurity Inc
<http://www.Seekurity.com>.

Contact me at:
LinkedIn
<https://www.linkedin.com/in/symbiansymoh>Facebook
<https://fb.com/symbiansymoh>Twitter <https://twitter.com/symbiansymoh>
<https://twitter.com/symbiansymoh>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.