CVE-2020-15682 in Firefox
Summary
by MITRE • 10/23/2020
When a link to an external protocol was clicked, a prompt was presented that allowed the user to choose what application to open it in. An attacker could induce that prompt to be associated with an origin they didn't control, resulting in a spoofing attack. This was fixed by changing external protocol prompts to be tab-modal while also ensuring they could not be incorrectly associated with a different origin. This vulnerability affects Firefox < 82.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/25/2020
This vulnerability represents a significant browser security flaw that exploited user interaction patterns to enable malicious protocol handling. The issue stemmed from how Firefox managed external protocol links, creating an opportunity for attackers to manipulate user trust through deceptive application association prompts. When users clicked on external protocol links such as mailto:, tel:, or other non-web protocols, the browser would display a dialog asking users to select which application should handle the request. The vulnerability occurred because this prompt could be manipulated to appear as if it originated from a malicious domain rather than the actual source of the link, allowing attackers to craft convincing spoofing scenarios that could deceive users into launching unintended applications or executing malicious code through the selected handler.
The technical implementation of this flaw involved the browser's protocol handler registration and prompt display mechanisms. Firefox's original implementation failed to properly validate or isolate the origin context of external protocol requests, allowing attackers to craft web pages that would cause the system prompt to display incorrect origin information. This created a trust boundary violation where users could be misled about which website was requesting protocol handling, potentially leading to credential theft, malware execution, or other malicious activities. The vulnerability specifically affected Firefox versions prior to 82, where the browser's security model had not yet been updated to properly handle these edge cases in protocol handling.
The operational impact of this vulnerability extended beyond simple phishing attacks to encompass broader security implications for user trust and application security. Attackers could leverage this flaw to make users believe they were interacting with legitimate websites while actually triggering malicious applications or services. This type of attack vector aligns with common techniques described in the attack tree model for web browser exploitation, particularly those involving user interaction manipulation and trust boundary violations. The vulnerability could enable attackers to bypass security controls that rely on user confirmation prompts, making it particularly dangerous in environments where users might be prompted to perform actions they would not normally consent to if they understood the true origin of the request.
The fix implemented by Mozilla addressed the core issue by making external protocol prompts tab-modal rather than global browser prompts, which prevented cross-origin manipulation of the prompt context. Additionally, the implementation ensured that these prompts could not be incorrectly associated with different origins, effectively breaking the attack vector that allowed spoofing. This mitigation approach aligns with established security principles for user interface security and follows best practices outlined in various security frameworks including those related to input validation and context isolation. The solution demonstrates proper defense-in-depth principles by addressing both the presentation layer issue and the underlying validation mechanism that allowed the spoofing attack to succeed. This type of fix is consistent with the approach recommended for similar vulnerabilities classified under CWE-601, which deals with URL redirection and open redirect vulnerabilities, and provides protection against the specific attack pattern documented in various threat intelligence reports related to browser-based phishing attacks.