Closed
Bug 1439255
Opened 6 years ago
Closed 6 years ago
Error message determined by the «required» and «x-moz-errormessage» Attributes is always-on-top of Firefox window and can be used for Addressbar Spoofing, UI Spoofing, ClickJacking and other evil
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1294413
People
(Reporter: jordi.chancel, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-spoof, sec-low)
Attachments
(1 file)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:59.0) Gecko/20100101 Firefox/59.0 Build ID: 20180215111455 Steps to reproduce: Firefox shows the error message determined by the required="" and the x-moz-errormessage="" Attribute as an always-on-top of the Firefox window and so can cover: The Addressbar, Any download dialogs (eg: a Download dialog with the "open file" option), WebRTC Dialog, Warning dialog for installing an XPI addon, (and others). With setInterval() and others JavaScript function it is possible to make the error message (determined by the required="" and the x-moz-errormessage="" Attribute) persist through mouse interactions with the browser. By using absolute positioning/scrolling, an attacker can essentially cover arbitrary portions of a user's display with whatever they want. Actual results: This bug can be used for: Addressbar Spoofing, UI Spoofing and ClickJacking. Testcase in Attachments demonstrates that the error message persists and covers the Addressbar (leading to a Location Bar Spoofing). Expected results: A possibility to fix it would probably be to automatically disable the error message when it covers the Addressbar and other Firefox dialog box, like WebRTC dialog, Download Dialog, ...
Reporter | ||
Updated•6 years ago
|
Flags: needinfo?(jordi.chancel)
Marking for bounty consideration. PoC seems more of an annoyance that real spoofing risk, but if the comments about "absolute positioning/scrolling" in the report are correct, then something convincing could probably constructed. But it appears we show the alert inside a speech bubble type thing which tries to show the user what tab it came from (in my case it shows the wrong tab).
Flags: sec-bounty?
Comment 2•6 years ago
|
||
This is terrible as a addressbar spoof (doesn't look right at all) but annoyingly blocks browser UI -- hides real location, can prevent manipulating/closing tabs using the mouse. It might be more convincing to try to spoof some other kind of browser message. This error message UI violates the absolute rule that web content should NEVER appear in the chrome area. https://textslashplain.com/2017/01/14/the-line-of-death/ That little pointer tail is dangerous -- even if we make sure the message is inside the content area we need to make sure the tail doesn't cross into chrome. Kind of dangerous even if it starts as position 0 since users might assume that it's crossing over. Can we get rid of the tail? Can we pad it by 10px if its too close to the edge? In this case the form is invisible. Should we be showing errors from invisible content? That's a tricky one though because it might be visble-but-ghostly or obscured with other overlapping content or a busy background. x-moz-errormessage is non-standard and here we can see why it's dangerous. Can we just kill it? Some of this code would be "Layout: Form Controls" (found other bugs filed there) but I suspect this is really a front-end issue (browser/modules/FormSubmitObserver.jsm).
Blocks: eviltraps
Group: core-security
Status: UNCONFIRMED → NEW
status-firefox58:
--- → affected
status-firefox59:
--- → affected
status-firefox60:
--- → affected
status-firefox-esr52:
--- → affected
Ever confirmed: true
Keywords: csectype-spoof,
sec-low
Product: Core → Firefox
Updated•6 years ago
|
Group: firefox-core-security
Comment 4•6 years ago
|
||
yup -- thanks! So is it a "Layout" bug or a front-end bug to fix?
Group: firefox-core-security
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: sec-bounty?
Flags: sec-bounty-
Flags: needinfo?(dveditz)
Resolution: --- → DUPLICATE
Reporter | ||
Comment 5•6 years ago
|
||
I clear the Flags: needinfo?(jordi.chancel@alternativ-testing.fr)
Flags: needinfo?(jordi.chancel)
You need to log in
before you can comment on or make changes to this bug.
Description
•