canmove, Confirmed users
1,220
edits
Security/Reviews/Gaia/bluetooth: Difference between revisions
Jump to navigation
Jump to search
no edit summary
Ptheriault (talk | contribs) |
Ptheriault (talk | contribs) No edit summary |
||
| Line 62: | Line 62: | ||
====3. Secure data storage ==== | ====3. Secure data storage ==== | ||
N/A | |||
====4. Denial of Service ==== | ====4. Denial of Service ==== | ||
Web pages could launch the bluetooth app without user interaction - perhaps it should only be possible to launch the bluetooth app from the user chosen web activity. | |||
====5. Use of Privileged APIs ==== | ====5. Use of Privileged APIs ==== | ||
This app uses devicestorage:sdcard to load the files it is about to send. This was a temporary fix, and should probably be now changed. See the comment in the code regarding bug 811615. | |||
====6. Interfaces with other Apps/Content==== | ====6. Interfaces with other Apps/Content==== | ||
As above, any content can launch the bluetooth transfer page via a web activity. | |||
=== Security Risks & Mitigating Controls === | |||
*User is tricked into sending a file | |||
Any website could try to guess a file name on the sdcard and prompt the user to send it. There is no indication in the bluetooth app that you are about to send a file. However prior to sending the file, the user needs to go through a step of pairing a device, which mitigates this risk pretty effectively (it would be very hard to 'accidentally' pair with another device. | |||
* Website repeatadly fires up bluetooth app to consume power as a DoS | |||
Web activities cant be fired from the background, so this wouldnt work after the user hid the browser. | |||
=== | === Actions & Recommendations === | ||
Discussing remediation with bluetooth app developers at the moment: | |||
1. The UI shown when you are about to send a file, doesn't actually tell you that you are about to send a file (it just shows a list of paired devices). The user may not have initiated this web activity (e.g new mozActivity({name:'share',data : {number : 1, filenames : ["screenshots/1980-01-06-00-18-06.png"]} starts the bluetooth app without a prompt) | |||
- Show some title or prompt to tell the user what is about to happen | |||
2. Bug 811615 is marked as fixed now - does this mean that we could change to receiving blobs with metadata instead of having the transfer app have sdcard permission? | |||
3. Validate the file paths prior to using them | |||
[[Category:SecReview]] | [[Category:SecReview]] | ||