Security/Reviews/Gaia/system/identity.js

From MozillaWiki
< Security‎ | Reviews‎ | Gaia‎ | system
Jump to: navigation, search

From looking at the identify.js part. The code only responds to two mozChromeEvents

  1. open-id-dialog
  2. received-id-assertion

The attack vectors I see are

  1. some workflow spoofs the expected event types
  2. bad data is send to the message handler for system/js/identify.js
  3. some malicious actor is able to listen in to the reply events

Attack vector 2) isn't a concern. Nothing of interest is passed back to the handling frame. A mozContentEvent occurs and this contains either {id: chromeEventId} or {id: chromeEventId, frame: evt.target}

You would need to spoof both the chromeEventId and the requestId to make anything happne. requestId is a uuid used in events and we haven't raised any issue with its generation yet.

3) isn't a concern either. The event is dispatched to the window which loaded the identity file. The system app in this case.

For issue 1) mozChromeEvents are only generated in a couple trusted areas 1) SignIntoWebsite.jsm http://mxr.mozilla.org/mozilla-central/source/b2g/components/SignInToWebsite.jsm#177 2) ActivitiesGlue.js http://mxr.mozilla.org/mozilla-central/source/b2g/components/ActivitiesGlue.js#53 3) PaymentGlue.js http://mxr.mozilla.org/mozilla-central/source/b2g/components/PaymentGlue.js#79 4) shell.js http://mxr.mozilla.org/mozilla-central/source/b2g/chrome/content/shell.js#1013

We can strike out 1) as a threat, it only sends the events 

 92 const kOpenIdentityDialog = "open-id-dialog";
 96 const kReceivedIdentityAssertion = "received-id-assertion";

We can also strike out ActivitiesGlue.js which sends 

 37       type: "activity-choice",

PaymentGlue.js 

 17 const kOpenPaymentConfirmationEvent = "open-payment-confirmation-dialog";
 18 const kOpenPaymentFlowEvent = "open-payment-flow-dialog";


Shell.js sends 

 135         type: "handle-crash",
 400       this.sendChromeEvent({type: type});

type is a hardware key, also the data doesn't have the required id for identity.js 

 525       type: 'open-app',
 595   shell.sendChromeEvent({ type: "fullscreenoriginchange",
 752         type: "desktop-notification",
 854             "type": "webapps-launch",
 864           type: "webapps-ask-install",
 912       "type": "remote-debugger-prompt"
 990         type: 'take-screenshot-success',
 996         type: 'take-screenshot-error',
 1022     shell.sendChromeEvent(JSON.parse(data));

The last one is the only concern, all the other instances in shell.js send a specific type and/or don't have the required id which is used as chromeEventId

Looking at captivedetect.js, there is no issue http://mxr.mozilla.org/mozilla-central/source/toolkit/components/captivedetect/captivedetect.js

The event details contain the constant types 

 18 const kOpenCaptivePortalLoginEvent = 'captive-portal-login';
 19 const kAbortCaptivePortalLoginEvent = 'captive-portal-login-abort';
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Reviews/Gaia/system/identity.js&oldid=617961"