Closed
Bug 1337521
Opened 9 years ago
Closed 8 years ago
Firefox for Android - Possible Addressbar Spoofing (URL & SSL Spoofing) using Fullscreen Mode on a video object leading to make the webpage in persistent Fullscreen Mode instead to make the video in Fullscreen Mode
Categories
(Firefox for Android Graveyard :: General, defect)
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: jordi.chancel, Unassigned)
References
()
Details
(Keywords: csectype-spoof, reporter-external, sec-low)
Attachments
(1 file)
|
866 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20170125094131
Steps to reproduce:
When you go on a crafted webpage with a video object where the fullscreen mode can be enabled on this video object,
this can sometime lead to make the webpage in a fullscreen mode persistently instead of the video object.
This can lead that the location bar in Firefox for Android can be spoofed with a fake location bar using the fullscreen mode and blocking its exiting.
/!\ On ten tests performed, the vulnerability works between 2 and 6 times. /!\
Steps:
-1) Go to the URL address with Firefox for Android and click on the link (a new tab will be opened) (this first step is not obligatory to exploit this Addressbar Spoofing but it seems that the exploitation has more chance to work with this step) .
-2) On the webpage loaded into the new tab opened, click on "Look Computer version" in option (like demonstrated in the Video Example), when this webpage is reloaded (automatically) with this option, click on the link in this webpage and the most important webpage will be loaded.
-3) When the new webpage is completely loaded, scroll down until you look the part of the webpage with a video object and click on this video object to start the video and when the video starts click again on this video object to stop the video and click on the fullscreen button in this video object. (like demonstrated in the video).
-4) If the webpage is in Fullscreen Mode instead of the video object, scroll up and press the Back button on Android multiple times and if you can't exit this fullscreen mode, the fullscreen mode is persistent.
The fullscreen mode can't be disabled and is persistent, even if you press the Back button on Android or/and even if you go to the Android desktop and back to Firefox.
And with a fake location bar this can lead to Location Bar URL & SSL Spoofing.
Actual results:
Now the location bar is invisible. (even if you try to press the back button on android or/and even if you go to the Android desktop and back to Firefox).
With a fake location bar this lead to Location Bar Spoofing.
Expected results:
This Addressbar Spoofing doesn't work everytime.
On ten tests performed, the spoofing works between 2 and 7 times.
|
Reporter | |
Updated•9 years ago
|
|
|
Reporter | |
Comment 1•9 years ago
|
||
|
||
Comment 2•9 years ago
|
||
Xidorn, do you know how full screen stuff is supposed to work on Android?
Flags: needinfo?(xidorn+moz)
|
||
Comment 3•9 years ago
|
||
I cannot reproduce this issue. When I click the fullscreen button, it is always the video goes fullscreen rather than the page. I'm testing on Firefox 52b6, what version are you using?
There was another address bar spoofing fixed in Firefox 51, which may or may not be related.
Flags: needinfo?(xidorn+moz)
|
|
Reporter | |
Comment 4•9 years ago
|
||
This spoofing doesn't work everytime,
sometime it works directly but sometime it works only after multiple tests.
If it doesn't works directly, please try again (after delete your browsing data preferably) until the Spoofing works.
|
|
||
Comment 5•9 years ago
|
||
So what version of Firefox are you using? Is that 51? You can check that from "about:" page.
Flags: needinfo?(jordi.chancel)
|
||
Updated•9 years ago
|
Flags: sec-bounty?
|
|
||
Comment 7•9 years ago
|
||
Still fail to reproduce this issue... Actually on 51, I can't even see the video :/
It would be great if there could be some simpler steps to reliably reproduce...
|
||
Updated•9 years ago
|
Keywords: csectype-spoof,
sec-low
|
|
||
Comment 8•8 years ago
|
||
Minusing for security bounty as a sec-low, which does not qualify. Marking it incomplete since the developer cannot reproduce it either.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → INCOMPLETE
|
|
||
Updated•7 years ago
|
Group: firefox-core-security → mobile-core-security
|
|
||
Updated•6 years ago
|
Group: mobile-core-security
|
Assignee | |
Updated•5 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
|
||
Updated•2 years ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•