[Bug 1227486] New: kmozillahelper touching the internet at all seems like a potentially significant security issue
https://bugzilla.suse.com/show_bug.cgi?id=1227486 Bug ID: 1227486 Summary: kmozillahelper touching the internet at all seems like a potentially significant security issue Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: el@horse64.org QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- kmozillahelper seems to look up hosts on its own. I noticed this when clicking URLs where often they won't even reach firefox because kmozillahelper already looked them up. I think this is in some environments a significant security problem, since the user expectation is 1. the URL will be handled by their browser and nothing else, 2. firefox supports DNS over TLS so the user may expect their ISP doesn't see what URLs they're clicking, 3. unless kmozillahelper perfectly replicates firefox's entire network stack including reading its settings, that means it may be effectively bypassing all these security settings without user consent and leaking the URLs to the ISP and other parties without a warning. My apologies if I just missed something, but if these observations are correct then I think kmozillahelper as it conceptually seems to work right now is a security hole. It shouldn't touch the internet whatsoever about the URLs, and just hand them off to firefox. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227486 https://bugzilla.suse.com/show_bug.cgi?id=1227486#c2 Fabian Vogt <fabian@ritter-vogt.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |el@horse64.org Flags| |needinfo?(el@horse64.org) --- Comment #2 from Fabian Vogt <fabian@ritter-vogt.de> --- kmozillahelper provides dialogs for open+save file selection and some other miscellaneous integration. It is legacy and meant to be dropped as soon as possible, it's just waiting for Firefox: https://bugzilla.suse.com/show_bug.cgi?id=1226112
I noticed this when clicking URLs where often they won't even reach firefox because kmozillahelper already looked them up.
I cannot follow there - kmozillahelper does nothing on its own, it's started and managed by firefox and only does whatever FF tells it to. I'm not aware of any command that causes kmozillahelper to receive an URL and "look it up". -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227486 https://bugzilla.suse.com/show_bug.cgi?id=1227486#c4 Fabian Vogt <fabian@ritter-vogt.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(el@horse64.org) --- Comment #4 from Fabian Vogt <fabian@ritter-vogt.de> --- I still can't explain the behaviour you're observing.
That happens when I click e.g. an URL mail in Thunderbird.
Can you clarify what you mean by "URL mail"? Do you mean clicking a link in a mail that should open in firefox? In that case kmozillahelper should only check which application to open the URL with but let TB handle the actual open action. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227486 https://bugzilla.suse.com/show_bug.cgi?id=1227486#c6 Fabian Vogt <fabian@ritter-vogt.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(el@horse64.org) --- Comment #6 from Fabian Vogt <fabian@ritter-vogt.de> --- Ok, so it's probably the "OPEN" handler. Does the same behavior occur if you use xdg-open with that URL? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227486 https://bugzilla.suse.com/show_bug.cgi?id=1227486#c9 Fabian Vogt <fabian@ritter-vogt.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(el@horse64.org) --- Comment #9 from Fabian Vogt <fabian@ritter-vogt.de> --- I can't reproduce the issue locally, it's passed straight to the browser. Please try kioclient exec https://bugzilla.suse.com/show_bug.cgi?id=1227486 echo -e "OPEN\nhttps://bugzilla.suse.com/show_bug.cgi?id=1227486\n\\\E\n" | QT_LOGGING_RULES=*.debug=true /usr/lib/mozilla/kmozillahelper -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227486 https://bugzilla.suse.com/show_bug.cgi?id=1227486#c12 Fabian Vogt <fabian@ritter-vogt.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(el@horse64.org) --- Comment #12 from Fabian Vogt <fabian@ritter-vogt.de> --- Did the manual kmozillahelper invocation trigger the error as well? (In reply to ell1e from comment #11)
I just noticed the error message shows "Mozilla Thunderbird", this can be seen in the video I attached as well.
That's normal, kmozillahelper tries to fit in there and calls itself either Mozilla Firefox or Mozilla Thunderbird.
Is it possible that this is supposed to be some misguided Thunderbird feature instead, where it looks up links before just opening them in the browser?
Theoretically possible, but the error message is definitely from KIO. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227486 https://bugzilla.suse.com/show_bug.cgi?id=1227486#c14 --- Comment #14 from Fabian Vogt <fabian@ritter-vogt.de> --- I'd like to know: (In reply to Fabian Vogt from comment #12)
Did the manual kmozillahelper invocation trigger the error as well?
and also the output of xdg-mime query default x-scheme-handler/http xdg-mime query default x-scheme-handler/https kreadconfig6 --group General --key BrowserApplication -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227486 https://bugzilla.suse.com/show_bug.cgi?id=1227486#c16 Fabian Vogt <fabian@ritter-vogt.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(el@horse64.org) --- Comment #16 from Fabian Vogt <fabian@ritter-vogt.de> --- I'm mostly out of ideas. The only way this can happen AFAICT is if KIO thinks there is no browser available so it tries to download the file from that URL to figure out which application to use. The xdg-mime and kreadconfig6 calls show that the browser is correctly configured though. At this point I'd treat this more like a normal bug report than a security issue, but I still can't tell for sure whether this is a bug just on your system or whether it may happen generally. Some more invasive debugging might be needed. You could attach to the running kmozillahelper used by TB and set a breakpoint on "KIO::get". If that triggers, the backtrace might be helpful -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com