Closed Bug 1439255 Opened 6 years ago Closed 6 years ago

Error message determined by the «required» and «x-moz-errormessage» Attributes is always-on-top of Firefox window and can be used for Addressbar Spoofing, UI Spoofing, ClickJacking and other evil

Categories

(Firefox :: General, defect)

58 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1294413
Tracking Status
firefox-esr52 --- affected
firefox58 --- affected
firefox59 --- affected
firefox60 --- affected

People

(Reporter: jordi.chancel, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-spoof, sec-low)

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20180215111455

Steps to reproduce:

Firefox shows the error message determined by the required="" and the x-moz-errormessage="" Attribute as an always-on-top of the Firefox window and so can cover: 
The Addressbar, 
Any download dialogs (eg: a Download dialog with the "open file" option), 
WebRTC Dialog, 
Warning dialog for installing an XPI addon, 
(and others). 


With setInterval() and others JavaScript function it is possible to make the error message (determined by the required="" and the x-moz-errormessage="" Attribute) persist through mouse interactions with the browser. 

By using absolute positioning/scrolling, an attacker can essentially cover arbitrary portions of a user's display with whatever they want.


Actual results:

This bug can be used for: Addressbar Spoofing, UI Spoofing and ClickJacking.

Testcase in Attachments demonstrates that the error message persists and covers the Addressbar (leading to a Location Bar Spoofing).


Expected results:

A possibility to fix it would probably be to automatically disable the error message when it covers the Addressbar and other Firefox dialog box, like WebRTC dialog, Download Dialog, ...
Flags: needinfo?(jordi.chancel)
Marking for bounty consideration. PoC seems more of an annoyance that real spoofing risk, but if the comments about "absolute positioning/scrolling" in the report are correct, then something convincing could probably constructed. But it appears we show the alert inside a speech bubble type thing which tries to show the user what tab it came from (in my case it shows the wrong tab).
Flags: sec-bounty?
This is terrible as a addressbar spoof (doesn't look right at all) but annoyingly blocks browser UI -- hides real location, can prevent manipulating/closing tabs using the mouse. It might be more convincing to try to spoof some other kind of browser message.

This error message UI violates the absolute rule that web content should NEVER appear in the chrome area. https://textslashplain.com/2017/01/14/the-line-of-death/  That little pointer tail is dangerous -- even if we make sure the message is inside the content area we need to make sure the tail doesn't cross into chrome. Kind of dangerous even if it starts as position 0 since users might assume that it's crossing over. Can we get rid of the tail? Can we pad it by 10px if its too close to the edge?

In this case the form is invisible. Should we be showing errors from invisible content? That's a tricky one though because it might be visble-but-ghostly or obscured with other overlapping content or a busy background.

x-moz-errormessage is non-standard and here we can see why it's dangerous. Can we just kill it?

Some of this code would be "Layout: Form Controls" (found other bugs filed there) but I suspect this is really a front-end issue (browser/modules/FormSubmitObserver.jsm).
Blocks: eviltraps
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Product: Core → Firefox
Group: firefox-core-security
Dupe of (public) bug 1294413?
Flags: needinfo?(dveditz)
yup -- thanks! So is it a "Layout" bug or a front-end bug to fix?
Group: firefox-core-security
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: sec-bounty?
Flags: sec-bounty-
Flags: needinfo?(dveditz)
Resolution: --- → DUPLICATE
I clear the Flags: needinfo?(jordi.chancel@alternativ-testing.fr)
Flags: needinfo?(jordi.chancel)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: