Closed Bug 1266397 Opened 9 years ago Closed 4 years ago

Popup blocker bypass using Flash

Categories

(Core Graveyard :: Plug-ins, defect, P3)

Product:
Core Graveyard
Component:
Plug-ins
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: freddy, Unassigned)

References

Details

(Keywords: sec-moderate, sec-want)

Attachments

(2 files)

source code(AS3)
308 bytes, text/plain
Details
testcase(swf)
636 bytes, application/x-shockwave-flash
Details
spin-off from bug 1266386: > Bypass pop-up blocker using Flash (AS3) and navigateToURL('', 'popup');. > If attacker.com runs a Flash file that calls getURL, the new tab will open automatically. > This behavior is unique to Firefox, as is the OTF+SVG feature. > > This is how the AS3 would look like: > > navigateToURL(new URLRequest('http://victim.com/?css=...'), 'popup');` >
Attached file source code(AS3)
Attached file testcase(swf)
I attached PoC.
confirmed. I guess this is might not be trivial to fix. Can you take a look or help finding an owner, Ehsan?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(ehsan)
Product: Firefox → Core
(In reply to Frederik Braun [:freddyb] from comment #3) > confirmed. > I guess this is might not be trivial to fix. > Can you take a look or help finding an owner, Ehsan? I'm not sure why I'm the right person here. Did you mean to ask someone who knows something about plugins by any chance? :-)
Flags: needinfo?(ehsan)
@Ehsan: I thought this would touch the popup blocking code more than plugins. @jimm, can you take a look or help find an owner??
Component: General → Plug-ins
Flags: needinfo?(jmathies)
Do you know if this is a new regression or something that has been around for a while? Also would you mind cc'ing me into bug 1266386.
Flags: needinfo?(fbraun)
We have NPAPI support for plugins to disable and then re-enable popup blocking. I don't think this is currently a high priority for the team, but I'd happily mentor somebody who wants to start logging the NPAPI calls and in particular any calls to NPN_PushPopupsEnabledState (and Pop) to see whether Flash is doing this on purposes or whether we're not catching something by accident.
Mentor: benjamin
(In reply to Frederik Braun [:freddyb] from comment #5) > @Ehsan: I thought this would touch the popup blocking code more than plugins. Perhaps, but I don't know much about that code either. :-)
(In reply to Jim Mathies [:jimm] from comment #6) > Do you know if this is a new regression or something that has been around > for a while? No idea. I'd *guess* the latter. > Also would you mind cc'ing me into bug 1266386. Knowing bug 1266386 is really not required for the popup blocker discussion but it is public now. So feel free to take a look :)
Flags: needinfo?(fbraun)
I really do not have the time to look at this now. I can reproduce though and find it rather concerning flash can do this. I will try to find some time to look more deeply at it.
Flags: needinfo?(jmathies)
Priority: -- → P2
I can confirm this same behavior. In my case, it finds a tab on the non-private firefox window (as far as I can tell) and locates my twitter account. It then finds a post that I have made in the past and "Follows" my account,which sends me a notification. If you go to look at that notification's account, it is specifically looking to direct you to their site to start some $$ transactions. Almost phishing? Certainly a misuse of FF privacy. Probably not what twitter wants either.
Blocks: 1333599
Jim, you wanted to take a look at this. Any chance you'll take this soon? :)
Assignee: nobody → jmathies
Mentor: benjamin
Moving to p3 because no activity for at least 1 year(s). See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Priority: P2 → P3
Moving to p3 because no activity for at least 1 year(s). See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Assignee: jmathies → nobody
Resolving as wont fix, plugin support deprecated in Firefox 85.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: