Headline
CVE-2020-15679: PGAND-410 Resolve oauth session fixation on iOS (#272) · mozilla-mobile/guardian-vpn-ios@4309f5c
An OAuth session fixation vulnerability existed in the VPN login flow, where an attacker could craft a custom login URL, convince a VPN user to login via that URL, and obtain authenticated access as that user. This issue is limited to cases where attacker and victim are sharing the same source IP and could allow the ability to view session states and disconnect VPN sessions. This vulnerability affects Mozilla VPN iOS 1.0.7 < (929), Mozilla VPN Windows < 1.2.2, and Mozilla VPN Android 1.1.0 < (1360).
@@ -12,88 +12,81 @@ import UIKit import SafariServices
extension Notification.Name { static let callbackURLNotification = Notification.Name(“callbackURL”) }
class LoginViewController: UIViewController, Navigating { static var navigableItem: NavigableItem = .login
private let guardianAPI = DependencyManager.shared.guardianAPI private var safariViewController: SFSafariViewController? private var verificationURL: URL? private var verifyTimer: Timer? private var isVerifying = false private let accountManager = DependencyManager.shared.accountManager private let PKCECode: (String, String) = PKCECodeGenerator.generateCode
init() { super.init(nibName: nil, bundle: nil) guardianAPI.initiateUserLogin { [weak self] result in switch result { case .success(let checkpointModel): guard let loginURL = checkpointModel.loginUrl else { return } self?.verificationURL = checkpointModel.verificationUrl let safariViewController = SFSafariViewController(url: loginURL) DispatchQueue.main.async { self?.addChild(safariViewController) self?.view.addSubview(safariViewController.view) safariViewController.view.frame = self?.view.bounds ?? CGRect.zero safariViewController.view.autoresizingMask = [.flexibleWidth, .flexibleHeight] safariViewController.didMove(toParent: self) } safariViewController.delegate = self self?.safariViewController = safariViewController case .failure(let error): let loginError = error.getLoginError() let context: NavigableContext = loginError == .maxDevicesReached ? .maxDevicesReached : .error(loginError) self?.navigate(to: .landing, context: context) } } }
deinit { verifyTimer?.invalidate() }
required init?(coder: NSCoder) { fatalError(“init(coder:) has not been implemented”) }
@objc private func verify() { guard let verificationURL = verificationURL else { return } if isVerifying { return } isVerifying = true override func viewDidLoad() { super.viewDidLoad()
guardianAPI.verify(urlString: verificationURL.absoluteString) { [weak self] result in guard let self = self else { return } let safariViewController = SFSafariViewController(url: GuardianURLRequest.pkceLoginURL(codeChallenge: PKCECode.0)) addChild(safariViewController) view.addSubview(safariViewController.view) safariViewController.view.frame = self.view.bounds safariViewController.view.autoresizingMask = [.flexibleWidth, .flexibleHeight] safariViewController.didMove(toParent: self) safariViewController.delegate = self self.safariViewController = safariViewController
NotificationCenter.default.addObserver(self, selector: #selector(handleCallback), name: .callbackURLNotification, object: nil) }
@objc private func handleCallback(notification: Notification) { guard let url = notification.userInfo?[“callbackURL”] as? URL, let queryItems = URLComponents(string: url.absoluteString)?.queryItems, let code = queryItems.first(where: { $0.name == “code” })?.value else { navigate(to: .landing) return } verify(code: code) }
private func verify(code: String) { guardianAPI.verify(code: code, codeVerifier: PKCECode.1) { [weak self] result in guard let self = self else { return } switch result { case .success(let verification): DependencyManager.shared.accountManager.login(with: verification) { loginResult in self.isVerifying = false self.verifyTimer?.invalidate() switch loginResult { case .success: self.navigate(to: .home) case .failure(let error): Logger.global?.log(message: "Authentication Error: \(error)") let context: NavigableContext = error == .maxDevicesReached ? .maxDevicesReached : .error(error) self.navigate(to: .landing, context: context) } } case .failure: self.isVerifying = false return self.login(verification: verification) case .failure(let error): self.navigate(to: .landing, context: .error(error)) } } } }
// MARK: - SFSafariViewControllerDelegate extension LoginViewController: SFSafariViewControllerDelegate { func safariViewController(_ controller: SFSafariViewController, didCompleteInitialLoad didLoadSuccessfully: Bool) { if didLoadSuccessfully && verifyTimer == nil { verifyTimer = Timer.scheduledTimer(timeInterval: 3, target: self, selector: #selector(verify), userInfo: nil, repeats: true) private func login(verification: VerifyResponse) { accountManager.login(with: verification) { [weak self] loginResult in guard let self = self else { return } switch loginResult { case .success: self.navigate(to: .home) case .failure(let error): Logger.global?.log(message: "Authentication Error: \(error)") let context: NavigableContext = error == .maxDevicesReached ? .maxDevicesReached : .error(error) self.navigate(to: .landing, context: context) } } } }
// MARK: - SFSafariViewControllerDelegate extension LoginViewController: SFSafariViewControllerDelegate { func safariViewControllerDidFinish(_ controller: SFSafariViewController) { self.verifyTimer?.invalidate() navigate(to: .landing) } }