User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0 Build ID: 20180807170231 Steps to reproduce: Visit one of the listed malicious domains for the first time on a newly installed version of firefox on android. Leave all android permissions to ask the user every time. Please note that the malicious code does not appear every single time (as it is most likely baked into the server side code of the hosts). So some obfuscation and lots of retries are required. https://www.lifewire.com/what-is-sip-3426669 https://www.webmd.com https://thepestmanagment.com/does-soapy-water-kill-wasps http://digitalhome.ca/forum Started happening on July the 5th, 2018. Something that may be related is downloading 2 "0 byte" files named "dbsync", no file extension from linkedin.com the day after this malicious code began popping up on websites, without actually visiting the site in the whole time period, but visiting the site before. The source code for one of the sites: https://pastebin.com/tTtx2AZa Actual results: A website containing malicious code exploits something in firefox that makes it ask if you want the website to use your microphone or camera. In the first run of the malicious website, we see the requirement that firefox ask the user, bypassed, and instead the website immediately gains the ability to record on the camera and microphone without the user knowing. The only thing that stops this from happening, is androids default "ask the user" app permissions, for camera and microphone for firefox. If the user had allowed firefox to use the camera or microphone once before for a legitimate reason, firefox would essentially turn the mobile devices into walking Audio Visual bugs for the offending malware, without the user knowing at all. Expected results: Firefox should have asked the user if they wanted the site to be able to access the camera or the microphone (inside the app), with function based signature enforcement, so that firefox matches the requesting function's hash, which is stored in firefox's local data when somebody accepts a permission for a site. If the requesting function's hash does not match the one in the permission manager, then alert the user that the code has changed, and that there might be something suspicious happening, and then require them to redo the user prompt permission thing.
Severity: normal → major
OS: Unspecified → Android
Hardware: Unspecified → ARM64
This is due to ad networks. Firefox requests permission from the user when MediaDevices.enumerateDevices() is requested by the site. Chrome has a different behavior that is silent. These functions are part of WebRTC a web standard that allows websites to create video and audio communication applications. If you deny the request then the site does not get any information about your device's camera(s) or microphone(s).
Status: UNCONFIRMED → RESOLVED
Closed: Last year
Resolution: --- → DUPLICATE
(In reply to Kevin Brosnan [:kbrosnan] from comment #1) > This is due to ad networks. Firefox requests permission from the user when > MediaDevices.enumerateDevices() is requested by the site. Chrome has a > different behavior that is silent. These functions are part of WebRTC a web > standard that allows websites to create video and audio communication > applications. > > If you deny the request then the site does not get any information about > your device's camera(s) or microphone(s). Shouldn't it be illegal for 3rd party advertisements to request Audio or Video input? I mean what practical use, other than spying on people and invasive marketing, does this have? Because essentially all it appears as is Firefox wants access to your camera, or Firefox wants access to your microphone. Let's say that theoretically, with Firefox given the system permissions for Camera and Microphone, that these 3rd party ad networks are actually able to access the Camera and Microphone, and record video without the site specific permissions bubble popping up. Now these ad networks have access to the video of your environment, and more importantly, your face, and your speech. Here you have a huge situation were an advertiser is able to physically associate a Real Life Identity with an Advertising ID, which they are not allowed to do, but they (some of them) try to anyways. As well you have the issue of the Illegal recording of video and Illegal recording of audio, to which the user did not agree to the terms and conditions, or if that argument did come into consideration, then the ad networks start recording video and audio, as soon as the webpage loads, which does not allow the user sufficient time to read or agree to the terms and conditions before their Personal Data is illegally collected. Here is what Camera and Microphone can be used to collect: -Your Facial Reaction to everything that you view (can be used to target advertising to you using fuzzing, creating a complete and highly in-depth psychological profile of you) -Your Face (They know who you are if you have posted your face on social media) -Your Visual Surroundings (Can be used to 3d map your environment, and object/text recognition) -Other Peoples Faces (Makes it easy to get your location, given that the people that you are around have taken a picture of their face) -Everything you say (Not Good) -Everything that you hear (Not Good, excluding psycho-acoustical sources such as Tinnitus) -Your Exact Location (using object references in the sky such a the position of the sun, combined with the gyro and timezone/ip location) -Many other things This is different, it is Firefox wants access to your Camera, and Firefox wants access to your Microphone. To an inexperienced user, this may appear as a standard requirement for Firefox to run, so they will be inclined to click accept. Once that happens, then their device is basically subject to all malicious Ad networks stealing information from their Camera, and their Microphone. So unless Firefox sends the user a website specific permission accept box before it asks the system for Camera and Microphone permissions, then this is considered a security vulnerability. Especially since it conditions the typical user to think that Firefox needs "All the Permissions" in order to operate properly, and this makes the user inclined to do the same for other browsers, that may indeed have huge security problems.
Firefox still shows its own permission prompt before actually giving a web site camera/microphone access. This is just about the fact that merely enumerating available microphones/cameras doesn't trigger any browser-side user notification, but on Android can still cause an OS permissions dialogue to appear.
Status: UNCONFIRMED → RESOLVED
Closed: Last year → Last year
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.