During my recent security research on "Puffin Web Browser" I found several security bugs with "Puffin Web Browser" ranging from low to high risk issues. My recent post "Puffin Web Browser Address Bar Spoofing" already talked about a high risk vulnerability inside Puffin Web browser. However, today I would like to discuss about a low/medium risk issue known as "Pop Up Recursion" vulnerability resulting in a Denial Of Service. This is a known issue and in past has been already addressed in browsers such as Google Chrome, however Puffin Web Browser is still affected by the issue. VulnerabilityThe vulnerability occurred due to mishandling of location.reload function, as it keeps reloading the document, however the issue more likely is present inside of not limiting the pop ups or simply offering no way to ignore further prompts.Expected Result Puffin Web Browser should have opened a new window with single alert box. What actually happened? Puffin Web Browser recursively opens up new window on pressing the ok button and there is no way to prevent the page from creating additional pop ups just like Chrome, IE etc. Puffin Web Browser On pressing the "OK" button, it would reload the copy a current document in a new tab, on pressing "OK" on the second window, it would reload another copy of the current document in a new tab, this would keep growing until the browser finally crashes. Chrome In "Chrome" for android, this effect is limited by offering a checkbox to prevent the current document from creating additional dialogs. POCThe following is the simple proof of concept:<html> <title>Puffin Web Browser Pop Up Recursion DOS</title> <body> <script> window = window.open(location.reload('http://rafayhackingarticles.net')); window.alert(window) </script> </body> </html> |
Puffin Web Browser Pop Up Recursion Vulnerability - DOS
Puffin Web Browser Address Bar Spoofing Vulnerability
During my recent research on Mobile browsers i have managed to find couple of interesting vulnerabilities such as SOP bypass, Denial of service and Address bar spoofing vulnerability which are worth doing a writeup. However, In the following writeup I would discuss about an "Address Bar Spoofing Vulnerability" present inside of a well known mobile browser for both Android and iOS known as "Puffin Web Browser".
Description
Let's take a look at an official description of Puffin Web Browser.Puffin Web Browser is a wicked fast Mobile Flash Browser. Once users experience the thrill of using Puffin, regular Mobile Internet just feels like torture. Puffin Free is the free version of Puffin family, and supports Adobe Flash during the daytime everyday. Puffin Web Browser comes into two different flavours, a free version and a paid version.
Popularity
According to recent stats by Google play, the approximate installs for "Puffin Web Browser Free" are some where between the range of 5 Million to 10 Million installs.Whereas, according to another popular Android market "Mobogenie", the approximate installs for "Puffin Web Browser Free" are more than 5 Million.
This makes the total userbase of Puffin Web Browser more than 10 million.
Vulnerability
An "Address Bar Spoofing" vulnerability was addressed in "Puffin Web Browser" due to mishandling of javaScript's window.open function which is used to open a secondary browser window. This could be exploited by tricking the users into supplying senstive information such as username/passwords etc due to the fact that the address bar would display a legitimate URL, however it would be hosted on the attacker's page.
Proof Of Concept
The following piece of javaScript code was used as a proof of concept by modifying "David Vieria's" POC to suit our needs and to demonstrate the vulnerability to the vendor.
<script>
document.getElementById('one').onclick = function() {
myWindow=window.open('http://rafayhackingarticles.net/','RHA','width=300,height=300,location=yes');
myWindow.document.write("<html><head></head><body><b>This page is still being hosted on rhainfosec.com, however the domain is pointing to rafayhackingarticles.net.</b><br><br><iframe src=\"http://www.rafayhackingarticles.net/\");></iframe></scri+pt></body></html>");
myWindow.focus();
return false;
}
</script>
Steps To Reproduce
2) Click on the "demo" button.
3) A new window would pop up with the address bar pointing to rafayhackingarticles.net, however the page is still hosted on rhainfosec.com.
In case of a real attack scenario, an attacker could create a fake login of facebook.com for instance and since the address bar would still be pointing to facebook.com, the victim would not
Demonstration
Impact
The impact in my opinion is huge since this vulnerability could be abused in launching targetted and more effective phishing attacks, which places 10 million users at risk.Fix
The vulnerability was submitted on 10'th of june, I received an initial response that they would let us know about the schedule, however after multiple emails, we didn't receive any response. Therefore, I decided to go for full disclosure and urge the users to beware.As mentioned before, I have found several other vulnerabilities in mobile browsers, as soon as they get fixed I would blog about it. Kudos to David Vieria for his guidance.
Timeline
6/10/2014 - I reported the vulnerability.6/13/2014 - Initial response.
6/26/2014 - I asked again if they are willing to fix it.
7/14/2014 - Blogged about this issue.
Nokia Asha Series Lock Screen Bypass
There have been a lot of lock screen bypasses lately in almost every mobile deice such as iPhone, Samsung galaxy, HTC etc and if you observe carefully most of them rely upon abusing the "Emergency Calling" option some how. Hammad Shamsi a Security researcher from RHAinfoSec has found a lockscreen bypass which resides in all the latest versions of Nokia Asha series. The bypass occurred due to mishandling of SOS button (Emergency Panic Button) which is present in all Nokia Asha Series and is used to perform the emergency calls.
How to Reproduce?
i) First, set up the lock code to lock the screen.
ii) Next, type any number on the unlock screen.
iii) Next, press the SOS button followed the green button and you are sent to recent call lists.
This could be furthur abused into gaining complete phonebook access, add/delete a number, turning bluetooth on/off etc. Hammad, has created a series of three video which demonstrates how you could go about accomplishing it.
Nokia Asha Lock Screen Bypass - Video #1
Nokia Asha Lock Screen Bypass - Video #2
Nokia Asha Lock Screen Bypass - Video #3
Reward
Hammad was awarded Nokia Lumia 1520, though mobile bugs are not a part of their bug bounty programs, however an exception was made while taking the impact of the bug in location.I on behalf of all RHAinfoSec Team members would like to congratulate him and would like to wish him best of luck for future researches.
Timeline
25/04/14 - The vulnerability was reported.30/04/14 - Initial response from Nokia notifying that they are working on a fix.
1/06/14 - Nokia lumia was received.
7/07/14 - The issue was fixed.
7/12/2014 - Writeup was released.