Mapbox Security Bulletins

Millions of people touch Mapbox every month. That's why we are committed to creating the most secure and privacy-minded mapping and location platform in the world.

Check this page for security announcements related to Mapbox software and our platform. You can also subscribe to our security bulletins RSS feed.

Need to report a security issue? Check out our bug bounty program on HackerOne or email us at security@mapbox.com.

Mapbox Android SDK - Switch to Local Broadcast Manager

March 21 2017

Summary

Mapbox Android SDK v4.0.0 through v4.2.0 use Broadcast Receiver for location services requests instead of the Local Broadcast Manager. The Local Broadcast Manager offers more granular control of broadcast permissions, as well as performance enhancements.

v4.2.1 of the Mapbox Android SDK uses the Local Broadcast Manager instead of the Broadcast Receiver. This change limits broadcasts of location data to local objects within the application’s process.

Affected Products

  • Mapbox Android SDK v4.0.0 through v4.2.0

How to fix

Upgrade your application to use Mapbox Android SDK v4.2.1 or later.

Credit

Michael Reizelman

References

Mapbox.js - XSS via share control

January 12 2016

Summary

When the share control of a mapbox.js map is clicked, arbitrary script content will execute if a malicious user has injected script content into the name property of TileJSON data.

Affected Products

  • Mapbox.js v2.2.3 and earlier
  • Mapbox.js v1.6.4 and earlier

Affected Usage

Only specific usage is vulnerable. You are vulnerable to this issue if all of the following conditions are true:

  • You are using a mapbox.js map (L.mapbox.map) with a share control (L.mapbox.shareControl)
  • You are loading untrusted external TileJSON
  • A malicious user has access to the TileJSON and modifies the name property to contain script content
  • The share control is clicked by a user

Such usage is uncommon. L.mapbox.shareControl is not automatically added to mapbox.js maps and must be explicitly added.

The following usage scenarios are not vulnerable:

  • The map does not use a share control (L.mapbox.sharecontrol)
  • Only trusted TileJSON content is loaded

How to fix

Upgrade to Mapbox.js version 2.2.4. If you are still using a 1.x version and unable to upgrade to 2.2.4, upgrade to 1.6.6.

If you are unable to upgrade to either 2.2.4 or 1.6.6, you can also remove any share controls (L.mapbox.shareControl) from your maps.

Credit

Abdullah Ahmet Erdem

References

Mapbox.js - XSS via attribution control

October 24 2015

Summary

When a Mapbox.js map is loaded, malicious scripts will execute if the script content is inserted into the attribution property of TileJSON data.

Affected Products

  • Mapbox.js v2.1.6 and earlier
  • Mapbox.js v1.6.4 and earlier

Affected Usage

Only specific usage is vulnerable. You are vulnerable to this issue if all of the following conditions are true:

  • You are using a mapbox.js map (L.mapbox.map) or tileLayer constructor (L.mapbox.tilelayer) to load TileJSON
  • The TileJSON is external, untrusted, and hosted on a non-Mapbox URL
  • An attacker has control over the untrusted TileJSON and modifies the attribution property to contain script content

Such usage is uncommon. The following usage scenarios are not vulnerable:

  • Only trusted TileJSON content is loaded
  • TileJSON content comes only from mapbox.com URLs
  • A Mapbox map ID is supplied, rather than a TileJSON URL

How to fix

Upgrade to Mapbox.js version 2.1.7. If you are still using a 1.x version and unable to upgrade to 2.1.7, upgrade to 1.6.5.

Credit

Juan Broullón Sampedro

References