CVE-2023-1945 - How a Safe Browsing API Glitch Could Crash (and Exploit) Firefox ESR and Thunderbird

---

In April 2023, Mozilla quietly patched a significant vulnerability now tracked as CVE-2023-1945. This bug centered around how browser applications handled data from the Safe Browsing API – a system designed to keep you safe from malicious websites. Sometimes, protecting you can open new doors for attackers. In this long read, we’ll break down the issue, explore exactly why it was dangerous, run through the vulnerable code, and explain how attackers might have exploited this bug. All in plain English, for real-world folks.

What Is the Safe Browsing API?

Before we dive in, let’s cover some basics. Safe Browsing is a service by Google (Safe Browsing API docs). Browsers like Firefox, Chrome, and tools like Thunderbird use it to check websites and attachments against a list of unsafe or malicious URLs. The API responds to queries from the browser, returning data (often JSON) indicating if a site is safe or not.

But what if the API — or a man-in-the-middle — gave back data the browser didn’t expect? That’s where things went wrong.

Firefox ESR before 102.10

Mozilla's security advisory summarizes it:

> _"Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially exploitable crash."_

Where The Code Went Wrong

Browsers request data from the Safe Browsing API using HTTPS. They then consume the response and parse it, assuming it has a certain structure (for example, a specific JSON format).

The bug here: Mozilla’s code didn’t fully validate that the API’s response actually fit the expected structure. That means if the API (or a malicious server impersonating it) returned unexpected or specially crafted data, it could confuse the browser and cause it to access memory incorrectly. In many cases, this leads to a crash. In bad cases, it lets an attacker inject code (memory corruption) and possibly gain control.

Here’s a simplified example *in pseudocode* of what could go wrong

// Simplified pseudocode resembling Firefox's C++ code for parsing Safe Browsing data
void HandleSafeBrowsingResponse(const char* responseData, size_t len) {
    ParsedResponse resp = ParseJSON(responseData, len);

    // Assume resp.hashes is always an array!
    for (int i = ; i < resp.hashes.length; ++i) {
        // Unsafe: if resp.hashes isn't an array, this could fail
        ProcessHash(resp.hashes[i]);
    }
}

If the actual response is unexpected, like

{"hashes": "not_an_array"}

The loop could access something that isn’t an array, confuse memory access, and crash — or worse.

How Could Attackers Exploit This?

1. Intercept Traffic: If an attacker could intercept your network traffic (like on public WiFi) and spoof the Safe Browsing API, they could return malicious responses.
2. Trigger Malformed Responses: In theory, if there was a bug in Google’s API or if the attacker controlled another API endpoint used similarly, they could send the browser weird data.
3. Cause Memory Corruption: The browser, on parsing this data, could operate on memory it shouldn’t — sometimes allowing arbitrary code execution.
4. Crash the Browser: At minimum, this would crash Thunderbird or Firefox ESR, possibly leading users to re-open mail or restart browsers (a DoS).

Real-World Exploit Scenario

Imagine you’re in an airport on public WiFi. An attacker on the same network uses a proxy to hijack your requests to the Safe Browsing API (via DNS poisoning, ARP spoofing, or a compromised router). They send back a malformed response, like this:

{"hashes": {"subvert": "exploit_me"}}

If the Safe Browsing handler treats this like a normal array, it could crash with a segmentation fault. Even more dangerous: with special payloads, it could give the attacker arbitrary control over browser memory.

Proof of Concept: Crash Simulation

While a real exploit would require deep knowledge of Firefox’s internals (and is illegal to use unethically), a basic crash can be simulated. Here’s a Python snippet that acts as a local fake API server:

import http.server

class CrashAPIHandler(http.server.BaseHTTPRequestHandler):
    def do_GET(self):
        # Return malformed Safe Browsing response
        self.send_response(200)
        self.send_header('Content-Type', 'application/json')
        self.end_headers()
        self.wfile.write(b'{"hashes": {"oops": "notanarray"}}')

httpd = http.server.HTTPServer(('127...1', 8081), CrashAPIHandler)
print("Malicious API server running on http://127...1:8081";)
httpd.serve_forever()

If you force your browser to use this as the Safe Browsing endpoint (not recommended), you could trigger the buggy codepath.

Fix and Patch

Mozilla has fixed this vulnerability in Thunderbird 102.10 and Firefox ESR 102.10. Updated browsers now properly validate that the response contains the expected structure, gracefully handling weird or malicious responses.

References and More Reading

- Mozilla Security Advisory MFSA 2023-14
- NIST CVE entry for CVE-2023-1945
- Safe Browsing API Docs
- Mozilla ESR Releases page

Takeaways for Users

- Update ASAP: If you’re using Thunderbird or Firefox ESR, make sure you’re patched to at least 102.10.
- Stay Skeptical: Even “security” features can go wrong. Attackers often exploit trust between software and third-party APIs.

Be Careful on Public Networks: Man-in-the-middle attacks are still a thing, even in 2024.

Bottom line: CVE-2023-1945 is a prime example of how expecting data to behave — without strict validation — can put everything at risk. Stay updated, stay safe!

Timeline

Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/08/2023 15:06:00 UTC