Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FVP-02-014 General: Cross-site WebSocket hijacking #810

Closed
bakulf opened this issue Apr 7, 2021 · 1 comment
Closed

FVP-02-014 General: Cross-site WebSocket hijacking #810

bakulf opened this issue Apr 7, 2021 · 1 comment
Labels
p1 High Criticality Issues
Milestone

Comments

@bakulf
Copy link
Collaborator

bakulf commented Apr 7, 2021

The provided staging build contains the Mozilla VPN WebSocket Controller, which
exposes a WebSocket endpoint on localhost. No additional authentication is required to
interact with this port, thus allowing any website to connect and interact with the VPN
client. At the beginning of the audit, Mozilla assured that this WebSocket server is only
part of the staging build. However, later it was revealed that Mozilla would like to reuse
this connection for communication with a browser extension in the future. Thus, Cure53
decided to report this issue.
The following code can be hosted on an arbitrary website. When Mozilla VPN is running,
the website will connect to the WebSocket port and request a screenshot. This
screenshot can then be leaked to the attacker.

┆Issue is synchronized with this Jira Task

@bakulf bakulf added p1 High Criticality Issues audit-issue labels Apr 7, 2021
@bakulf bakulf modified the milestone: v2.2 Apr 9, 2021
@bakulf bakulf added this to Backlog in v2.3 Apr 12, 2021
@bakulf
Copy link
Collaborator Author

bakulf commented Apr 12, 2021

After talking with the webextension team, the new plan is to use what cure53 has suggested: native messages.

@bakulf bakulf closed this as completed Apr 12, 2021
v2.3 automation moved this from Backlog to Merged Apr 12, 2021
@jess-cook03 jess-cook03 added this to the Release v2.3 milestone Apr 14, 2021
@jess-cook03 jess-cook03 added this to Triage parking lot in Mozilla VPN Product Board via automation Apr 14, 2021
@jess-cook03 jess-cook03 moved this from Triage parking lot to Done/Merged in Mozilla VPN Product Board Apr 14, 2021
@birdsarah birdsarah removed this from Merged in v2.3 Apr 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
p1 High Criticality Issues
Projects
Development

No branches or pull requests

2 participants