Nasty MitM possibility with the Firefox blocklist service
Once a day the Firefox/Tor browser will do a call to the Firefox blocklist service. The URL of this endpoint is (extensions.blocklist.url):
https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/Example:
https://blocklist.addons.mozilla.org/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/52.2.0/Firefox/20170202030101/WINNT_x86-gcc3/en-US/release/Windows_NT%2010.0/default/default/34/34/1/'''1) The browser suppresses bad certificate errors on this URL '''The Firefox blocklist service suppresses bad certificates errors while downloading the blocklist.xml. In this way it is quite easy to setup a MitM attack and remove revoked certificates from the blocklist.xml
Proof of concept;
- Run a webserver listening to https://blocklists.settings.services.mozilla.com
- Create a fake blocklist XML (/v1/blocklist/etc...)
- Add 12.34.56.78 blocklists.settings.services.mozilla.com to your host file
- Reset app.update.lastUpdateTime.blocklist-background-update-timer and change extensions.blocklist.interval
- Wait until Tor calls these blocklist service.
- Check the blocklist.xml inside the Tor installation folder
'''2) Mozilla is able to see Tor user specific information: '''There is a lot of OS/platform/browser specific information in the URL. So Mozilla has a lot of statistics about the Tor browser usage. Not necessary IMHO.
APP_ID APP_VERSION PRODUCT VERSION BUILD_ID BUILD_TARGET OS_VERSION LOCALE CHANNEL PLATFORM_VERSION DISTRIBUTION DISTRIBUTION_VERSION PING_COUNT TOTAL_PING_COUNT DAYS_SINCE_LAST_PING
The TOTAL_PING_COUNT (stored in extensions.blocklist.pingCountTotal) is also interesting. Because this number increments every time you start the Tor browser. (note: once a day). As you can see the number in the URL above is 34, what means that the Tor browser was started at least 34 times/days.
Technical info:
source code: XMLHttpRequest with BadCertHandler
source code: BadCertHandler:
/**
* This class implements nsIBadCertListener. Its job is to prevent "bad cert"
* security dialogs from being shown to the user. It is better to simply fail
* if the certificate is bad. See bug 304286. <-- :-|
*/Another URL with sensitive data is extensions.update.background.url:
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID%&version=%ITEM_VERSION%&maxAppVersion=%ITEM_MAXAPPVERSION%&status=%ITEM_STATUS%&appID=%APP_ID%&appVersion=%APP_VERSION%&appOS=%APP_OS%&appABI=%APP_ABI%&locale=%APP_LOCALE%¤tAppVersion=%CURRENT_APP_VERSION%&updateType=%UPDATE_TYPE%&compatMode=%COMPATIBILITY_MODE%Related Bugzilla tickets:
- Something tries to MITM Firefox's automatic connection to addons.mozilla.org, resulting in an annoying expired-certificate dialog
- Certificate failures during automatic check for updates should not give user choice to connect anyway
Trac:
Username: basvd