MozillaWiki

Security/Reviews/Gaia/Dialer: Difference between revisions

Page Discussion

Security/Reviews/Gaia/Dialer (view source)

Revision as of 18:33, 27 February 2013

729 bytes added ,  27 February 2013
→‎Post Messages
Line 183: Line 183:
==== Post Messages ====
==== Post Messages ====


TODO Not sure what the official name for this is. I am referring to <code>window.postMessage()</code>.
The dialer (and the other code in the communications app) depends on window.postMessage() and setEventHandler('message',...) to send and receive cross origin messages. Usually between different pages in the same app, like dialer/index.html and dialer/oncall.html but also for remote sites like for example when we integrate with Facebook.


TODO The app does not check the origin of the post messages. Is that exploitable? Can another app send a message? Can content loaded from this app send a message? Like that Facebook thing?
The app handles the following post messages:
 
* js/dialer.js:200
** "closing"
** "notification"
** "recent"
** "contactsiframe"
* js/oncall.js:505
** "exitCallScreen"
* js/ussd.js:33
** "reply"
** "close"
 
ISSUE: None of the handlers verify that the message originated from a trusted/expected source.
 
I was able to exploit this and let remote content post messages to the Dialer to trigger Missed Calls notifications to appear.
 
ACTION: Add strict checking of event sources as described on MDN at https://developer.mozilla.org/en-US/docs/DOM/window.postMessage#Security_concerns
 
* {{bug|845487}} Dialer responds to cross-origin messages without verifying the source (exploitable)


====Web Activity Usage ====
====Web Activity Usage ====
St3fan
Confirmed users
971

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/531493"