2015-06-20

More on mobile: Spoofing the address bar with CVE-2014-1527

Continuing with the theme from my previous post, early last year I came across and reported CVE-2014-1527, also known as MFSA 2014-40. An issue affecting the Android version of the Firefox web browser, it made it possible to prevent the address bar from re-emerging after being hidden by a user action such as scrolling. This could have allowed a remote attacker to deploy a full address bar spoof simply using HTML and CSS to construct their own fake version of the browser UI.

And again the cause boiled down to a simple usability feature, a workaround for the issue of not-enough-screen-estate: To save space, most mobile browsers automatically hide the address bar along with all security indicators when they aren't being actively used. Doing something like that properly is tricky.

The really interesting part, though: An almost identical issue also affected Chrome for Android. And it still does. The bug ticket was closed as a WontFix, because, according to the developers, it was like that by design:

The fact that the toolbar is spoofable on mobile has been a conscious decision. The situation isn't going to change unless/until we generally revisit how the mobile toolbar UI works. Although this makes me sad, que será será (for now).

That's right, the address bar in Chrome for Android was consciously designed to be spoofable. A strange design decision if you ask me, but hey, usability first.

No comments:

Post a Comment