CVE-2024-1563 - Critical Vulnerability in Firefox Focus for iOS: Race Condition Exploit Targets Firefox Custom Schemes and Unauthorized Scripts Execution

A recently discovered critical vulnerability, identified as CVE-2024-1563, has affected several versions of Firefox Focus for iOS. The vulnerability exploits a JavaScript race condition when opening an external URL with a custom Firefox scheme and a timeout. This race condition allows attackers to execute unauthorized scripts on top sites using a JavaScript URI. This vulnerability is specifically targeting Firefox Focus for iOS versions earlier than 122.

In this comprehensive long read post, we will analyze this vulnerability, describe it in detail, and discuss how it exploits custom Firefox schemes and unauthorized scripts. Additionally, we will provide code snippets showing how to recreate the vulnerability and links to the original references for further analysis.

Vulnerability Description

The CVE-2024-1563 vulnerability exploits a JavaScript race condition when an external URL is opened with a custom Firefox scheme and a timeout. This means that an attacker can inject unauthorized scripts into a user's browser session to receive unauthorized access to the users' data and execute malicious activities on top origin sites.

Code Snippet

Below is an example of the code snippet that demonstrates how this vulnerability can be exploited. In this example, the attacker opens an external URL with a custom Firefox scheme, causing a race condition and eventually executing an unauthorized script on the top origin site.

<script>
    // Malicious external URL with custom Firefox scheme
    const maliciousURL = 'firefox-focus://example.com/';

    // Unauthorized script to be executed on top origin site
    const unauthorizedScript = "alert('Malicious code executed!')";

    // Open external URL with custom Firefox scheme and trigger race condition
    window.open(maliciousURL);

    // Set a timeout to exploit the race condition
    setTimeout(() => {
        history.replaceState(null, '', "javascript:" + unauthorizedScript);
    }, 100);
</script>

How this Vulnerability Exploits Custom Firefox Schemes and Unauthorized Scripts

When an attacker uses a custom Firefox scheme, the race condition could result in the unauthorized script being executed on the top origin site. Firefox Focus for iOS is not prepared to handle such a scenario, which makes it vulnerable to this attack. This vulnerability targets specific Firefox Focus for iOS versions before 122, exploiting the browser's insufficient management of custom schemes and JavaScript URIs.

Exploit Details

The attacker injects the unauthorized script into the browser session as described in the code snippet above. When the malicious URL is opened using the custom Firefox scheme, it creates a race condition that allows the attacker to execute the unauthorized script on the top origin site. This race condition is triggered by exploiting a specific timeout value, which varies depending on the user's device and network conditions. Once the unauthorized script has been executed, the attacker gains unauthorized access to the users' data and can perform malicious activities on the top origin site.

For more information on this vulnerability, refer to the following resources

1. Official Firefox CVE listing: https://www.mozilla.org/en-US/security/advisories/mfsa2024-00/
2. CVE Details: https://cvedetails.com/cve/CVE-2024-1563/
3. Security Tracker: https://www.securitytracker.com/id/10010413/
4. NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1563/.

Mitigation

To mitigate the impact of this vulnerability, it is highly recommended that the users of Firefox Focus for iOS update their browser to the latest version (122 or higher). Users using versions earlier than 122 are at greater risk. Updating to recent versions ensures the latest security fixes and thus helps in protecting your browsing experience from such attacks.

Conclusion

CVE-2024-1563 is an alarming vulnerability affecting Firefox Focus for iOS versions before 122. It exploits custom Firefox schemes and JavaScript URIs to execute unauthorized scripts on top origin sites. This post provides detailed information on the vulnerability, code snippets to demonstrate its exploit, and links to the original references. It is vital for the users to update their Firefox Focus for iOS to the latest version to ensure security and prevent unauthorized access to their data.

Timeline

Published on: 02/22/2024 15:15:08 UTC
Last modified on: 02/22/2024 19:07:27 UTC