1173831 - Location Bar Spoofing using fullscreen Mode, OnClick and OnTouchStart event (can't exit the fullscreen mode)

Status: RESOLVED INCOMPLETE

(Firefox for Android Graveyard :: General, defect, P3)

Description

[Jordi Chancel]

Attachment: TestCase1 (Firefox for Android vulnerability).zip

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150525141253

Steps to reproduce:

The methods used by this Firefox for ANDROID vulnerability are more or less similar to another vulnerability on FIREFOX OS ( https://bugzilla.mozilla.org/show_bug.cgi?id=1161367 ) but these methods use different JavaScript functions, so, it's a different vulnerability which require another fix.


When a webpage specialy crafted has its <body> element which uses the OnClick and OnTouchStart events which lead to make the webpage in FullScreen Mode, if an user touches the webpage , the FullScreen mode is directly activated.

If the user want to try to go out of FullScreen Mode, he can press the back button on its Android device, but the location bar don't reappears , so, the user will try to go up on the webpage for that the location bar becomes visible, but, when the user touches again the malicious webpage the FullScreen Mode is again activated. (all these step will be reproduced as long that the user touches the malicious webpage.)

Steps:
-1: Go to the testcase uploaded ( or https://www.alternativ-testing.fr/Research/Mozilla/android/cant-exit-fullscreen-new-vuln/cant-exit-fullscreen.html )
-2: Touch the web page ( the fullscreen mode is activated )
-3: try to go out of the fullscreen mode by pressing the back button on your Android device
-4: try to go up in the web page for try to view the location bar



Actual results:

Each time that you touch the web page , the fullscreen mode is activated and leads to an URL and SSL spoofing vulnerability with a fake location bar.


Expected results:

The fullscreen mode should be activated with the possibility to forbid this action on the webpage concerned (like mozilla firefox for Windows / Mac OS X and Linux).

Comment 1

[Michael Comella (:mcomella) [NI reported issues only: ex-Mozilla]]

If we don't store site fullscreen state, this should be a pretty easy fix (i.e. an Android dialog with a callback) - the hardest part is rounding up all of the fullscreen code to go through the same method to ensure the dialog is called everytime.

Finkle, is there an existing place we can access and store site fullscreen settings (e.g. likely shared with desktop)?

Comment 2

[:Margaret Leibovic]

(In reply to Michael Comella (:mcomella) from comment #1)
> If we don't store site fullscreen state, this should be a pretty easy fix
> (i.e. an Android dialog with a callback) - the hardest part is rounding up
> all of the fullscreen code to go through the same method to ensure the
> dialog is called everytime.
> 
> Finkle, is there an existing place we can access and store site fullscreen
> settings (e.g. likely shared with desktop)?

Looks like the fullscreen permissions are regular nsIPermissionManager permissions:
http://mxr.mozilla.org/mozilla-central/source/browser/base/content/browser-fullScreen.js#425

It looks like we never implemented this UI for Fennec, so you're right, we should do that.

Comment 3

[Michael Comella (:mcomella) [NI reported issues only: ex-Mozilla]]

Since I don't have many other pressing obligations...

Comment 4

[:Margaret Leibovic]

I just noticed bug 1160017, which is removing this permission. I haven't read the details closely, but you should look into that to see how we can address this security issue without implementing the fullscreen permission UI.

Comment 5

[Michael Comella (:mcomella) [NI reported issues only: ex-Mozilla]]

(In reply to :Margaret Leibovic from comment #4)
> I just noticed bug 1160017, which is removing this permission.

I was linked to [1] for extra information for this bug.

[1]: http://people.mozilla.org/~mverdi/projects/fullscreen/

Comment 6

[Jordi Chancel]

Matt Wobensmith , can define the sec-severity and if this report can have the flag : "sec-bounty: ? " , please ?

Thanks.

Comment 7

[Jordi Chancel]

Daniel Veditz, can define the sec-severity of this Vulnerability please?

Thanks.

Comment 8

[Daniel Veditz [:dveditz]]

This is a user annoyance, not a security problem. Every time it pops back into fullscreen the floater announces that you've gone back (plus your Android status bar at the top gets covered). It will be clear to users that the site is playing games. This trick makes that tab useless, but depending on how you got there you can keep hitting the back button (without touching the page), or use the menu button to open a new tab, and from there get into the tab management pane and close the malicious one.

Comment 9

[Michael Comella (:mcomella) [NI reported issues only: ex-Mozilla]]

Going to unassign and nominate to see if we want to prioritize this, especially given comment 8.

Comment 10

[Daniel Veditz [:dveditz]]

Did we do anything to make this better? I don't get as stuck as I remember in the past -- the location bar comes back and if you can touch that you're in good shape. Then again maybe a malicious page could have interesting content and wait for you to scroll enough to get rid of the URL bar before going into trap-mode.

Comment 11

[Michael Comella (:mcomella) [NI reported issues only: ex-Mozilla]]

I didn't do anything at the time and I haven't been following fennec updates so I don't know. It's possible something changed with the photon toolbar updates.

[triage] Not a security bug, non-critical.

Comment 12

[BMO Automation]

We have completed our launch of our new Firefox on Android. The development of the new versions use GitHub for issue tracking. If the bug report still reproduces in a current version of [Firefox on Android nightly](https://play.google.com/store/apps/details?id=org.mozilla.fenix) an issue can be reported at the [Fenix GitHub project](https://github.com/mozilla-mobile/fenix/). If you want to discuss your report please use [Mozilla's chat](https://wiki.mozilla.org/Matrix#Connect_to_Matrix) server https://chat.mozilla.org and join the [#fenix](https://chat.mozilla.org/#/room/#fenix:mozilla.org) channel.