Security/Reviews/Gaia/system/identity.js
From looking at the identify.js part. The code only responds to two mozChromeEvents
- open-id-dialog
- received-id-assertion
The attack vectors I see are
- some workflow spoofs the expected event types
- bad data is send to the message handler for system/js/identify.js
- some malicious actor is able to listen in to the reply events
Attack vector 2) isn't a concern. Nothing of interest is passed back to the handling frame. A mozContentEvent occurs and this contains either {id: chromeEventId} or {id: chromeEventId, frame: evt.target}
You would need to spoof both the chromeEventId and the requestId to make anything happne. requestId is a uuid used in events and we haven't raised any issue with its generation yet.
3) isn't a concern either. The event is dispatched to the window which loaded the identity file. The system app in this case.
For issue 1) mozChromeEvents are only generated in a couple trusted areas 1) SignIntoWebsite.jsm http://mxr.mozilla.org/mozilla-central/source/b2g/components/SignInToWebsite.jsm#177 2) ActivitiesGlue.js http://mxr.mozilla.org/mozilla-central/source/b2g/components/ActivitiesGlue.js#53 3) PaymentGlue.js http://mxr.mozilla.org/mozilla-central/source/b2g/components/PaymentGlue.js#79 4) shell.js http://mxr.mozilla.org/mozilla-central/source/b2g/chrome/content/shell.js#1013
We can strike out 1) as a threat, it only sends the events
92 const kOpenIdentityDialog = "open-id-dialog"; 96 const kReceivedIdentityAssertion = "received-id-assertion";
We can also strike out ActivitiesGlue.js which sends
37 type: "activity-choice",
PaymentGlue.js
17 const kOpenPaymentConfirmationEvent = "open-payment-confirmation-dialog"; 18 const kOpenPaymentFlowEvent = "open-payment-flow-dialog";
Shell.js sends
135 type: "handle-crash", 400 this.sendChromeEvent({type: type});
type is a hardware key, also the data doesn't have the required id for identity.js
525 type: 'open-app', 595 shell.sendChromeEvent({ type: "fullscreenoriginchange", 752 type: "desktop-notification", 854 "type": "webapps-launch", 864 type: "webapps-ask-install", 912 "type": "remote-debugger-prompt" 990 type: 'take-screenshot-success', 996 type: 'take-screenshot-error', 1022 shell.sendChromeEvent(JSON.parse(data));
The last one is the only concern, all the other instances in shell.js send a specific type and/or don't have the required id which is used as chromeEventId
Looking at captivedetect.js, there is no issue http://mxr.mozilla.org/mozilla-central/source/toolkit/components/captivedetect/captivedetect.js
The event details contain the constant types
18 const kOpenCaptivePortalLoginEvent = 'captive-portal-login'; 19 const kAbortCaptivePortalLoginEvent = 'captive-portal-login-abort';