Closed Bug 1173831 Opened 6 years ago Closed 4 months ago

Location Bar Spoofing using fullscreen Mode, OnClick and OnTouchStart event (can't exit the fullscreen mode)

Categories

(Firefox for Android Graveyard :: General, defect, P3)

39 Branch
ARM
Android
defect

Tracking

(fennec-)

RESOLVED INCOMPLETE
Tracking Status
fennec - ---

People

(Reporter: jordi.chancel, Unassigned)

References

(Blocks 1 open bug, )

Details

(Keywords: csectype-dos)

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150525141253

Steps to reproduce:

The methods used by this Firefox for ANDROID vulnerability are more or less similar to another vulnerability on FIREFOX OS ( https://bugzilla.mozilla.org/show_bug.cgi?id=1161367 ) but these methods use different JavaScript functions, so, it's a different vulnerability which require another fix.


When a webpage specialy crafted has its <body> element which uses the OnClick and OnTouchStart events which lead to make the webpage in FullScreen Mode, if an user touches the webpage , the FullScreen mode is directly activated.

If the user want to try to go out of FullScreen Mode, he can press the back button on its Android device, but the location bar don't reappears , so, the user will try to go up on the webpage for that the location bar becomes visible, but, when the user touches again the malicious webpage the FullScreen Mode is again activated. (all these step will be reproduced as long that the user touches the malicious webpage.)

Steps:
-1: Go to the testcase uploaded ( or https://www.alternativ-testing.fr/Research/Mozilla/android/cant-exit-fullscreen-new-vuln/cant-exit-fullscreen.html )
-2: Touch the web page ( the fullscreen mode is activated )
-3: try to go out of the fullscreen mode by pressing the back button on your Android device
-4: try to go up in the web page for try to view the location bar



Actual results:

Each time that you touch the web page , the fullscreen mode is activated and leads to an URL and SSL spoofing vulnerability with a fake location bar.


Expected results:

The fullscreen mode should be activated with the possibility to forbid this action on the webpage concerned (like mozilla firefox for Windows / Mac OS X and Linux).
Whiteboard: Same impact and same severity as bug1161367
Attachment #8621017 - Attachment mime type: application/zip → application/java-archive
OS: Unspecified → Android
Hardware: Unspecified → ARM
Version: Firefox 38 → Firefox 39
If we don't store site fullscreen state, this should be a pretty easy fix (i.e. an Android dialog with a callback) - the hardest part is rounding up all of the fullscreen code to go through the same method to ensure the dialog is called everytime.

Finkle, is there an existing place we can access and store site fullscreen settings (e.g. likely shared with desktop)?
Flags: needinfo?(mark.finkle)
(In reply to Michael Comella (:mcomella) from comment #1)
> If we don't store site fullscreen state, this should be a pretty easy fix
> (i.e. an Android dialog with a callback) - the hardest part is rounding up
> all of the fullscreen code to go through the same method to ensure the
> dialog is called everytime.
> 
> Finkle, is there an existing place we can access and store site fullscreen
> settings (e.g. likely shared with desktop)?

Looks like the fullscreen permissions are regular nsIPermissionManager permissions:
http://mxr.mozilla.org/mozilla-central/source/browser/base/content/browser-fullScreen.js#425

It looks like we never implemented this UI for Fennec, so you're right, we should do that.
Flags: needinfo?(mark.finkle)
Since I don't have many other pressing obligations...
Assignee: nobody → michael.l.comella
Status: UNCONFIRMED → NEW
Ever confirmed: true
I just noticed bug 1160017, which is removing this permission. I haven't read the details closely, but you should look into that to see how we can address this security issue without implementing the fullscreen permission UI.
(In reply to :Margaret Leibovic from comment #4)
> I just noticed bug 1160017, which is removing this permission.

I was linked to [1] for extra information for this bug.

[1]: http://people.mozilla.org/~mverdi/projects/fullscreen/
Group: core-security → firefox-core-security
Flags: needinfo?(mwobensmith)
This is a user annoyance, not a security problem. Every time it pops back into fullscreen the floater announces that you've gone back (plus your Android status bar at the top gets covered). It will be clear to users that the site is playing games. This trick makes that tab useless, but depending on how you got there you can keep hitting the back button (without touching the page), or use the menu button to open a new tab, and from there get into the tab management pane and close the malicious one.
Blocks: eviltraps
Group: firefox-core-security
Flags: needinfo?(dveditz) → sec-bounty-
Keywords: csectype-dos
Whiteboard: Same impact and same severity as bug1161367
Going to unassign and nominate to see if we want to prioritize this, especially given comment 8.
Assignee: michael.l.comella → nobody
tracking-fennec: --- → ?
tracking-fennec: ? → -
Did we do anything to make this better? I don't get as stuck as I remember in the past -- the location bar comes back and if you can touch that you're in good shape. Then again maybe a malicious page could have interesting content and wait for you to scroll enough to get rid of the URL bar before going into trap-mode.
Flags: needinfo?(michael.l.comella)
I didn't do anything at the time and I haven't been following fennec updates so I don't know. It's possible something changed with the photon toolbar updates.

[triage] Not a security bug, non-critical.
Flags: needinfo?(michael.l.comella)
Priority: -- → P3
We have completed our launch of our new Firefox on Android. The development of the new versions use GitHub for issue tracking. If the bug report still reproduces in a current version of [Firefox on Android nightly](https://play.google.com/store/apps/details?id=org.mozilla.fenix) an issue can be reported at the [Fenix GitHub project](https://github.com/mozilla-mobile/fenix/). If you want to discuss your report please use [Mozilla's chat](https://wiki.mozilla.org/Matrix#Connect_to_Matrix) server https://chat.mozilla.org and join the [#fenix](https://chat.mozilla.org/#/room/#fenix:mozilla.org) channel.
Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → INCOMPLETE
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.