Closed Bug 1507378 Opened 7 years ago Closed 4 years ago

A website persistently focusing an <input> will cause denial-of-service attack

Categories

(Firefox for Echo Show Graveyard :: Security: General, defect)

Product:
Firefox for Echo Show Graveyard
Component:
Security: General
Platform:
Unspecified
Android
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: mcomella, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-dos, sec-low)

STR: - Visit https://jsfiddle.net/zasg3wku/1/ - Click bottom right corner (white square with <input>) - Press back Expected: keyboard is lowered (or never opened in the first place) Actual: keyboard is immediately raised after back is pressed. This happens infinitely The website is redirecting focus to the <input> field every 100ms. Whenever focus is moved to an <input> the keyboard is raised. Since the keyboard is fullscreen and obscures the browser toolbar which would let the user navigate away, this is a denial of service attack. One workaround would be for the user to utter, "Alexa, open YouTube" or various other sites. This is the same STR as [1] (more info in private repo [2]). In investigations for that bug, we discovered this is hard to fix with WebView [3]. Our current next step for that bug is to reach out to Amazon to see if they have a solution we could implement. [1]: https://github.com/mozilla-mobile/firefox-echo-show/issues/89 [2]: https://github.com/mozilla-mobile-skunkworks/firefox-connect/issues/512 [3]: https://github.com/mozilla-mobile-skunkworks/firefox-connect/issues/512#issuecomment-434853710
This is reproducible on Silk too (and I wonder about Fire TV...).
I wrote this up in a format to share with Amazon: --- We've run into an issue when a website redirects focus to a text entry <input>. The Echo Show keyboard automatically opens and covers the full screen, obscuring the WebView. This could be used for denial-of-service style attacks: Steps to reproduce: - Visit https://jsfiddle.net/zasg3wku/1/ - Click bottom right corner (white square with <input>) - Press back Expected: keyboard is lowered (or never opened in the first place) Actual: keyboard is immediately raised after back is pressed. This happens infinitely on both Firefox and Silk Whenever focus is moved to an <input>, the keyboard is raised. Since the keyboard is fullscreen and obscures the browser toolbar which would let the user navigate away, this is a denial of service attack. This website redirects focus to the <input> every 100ms. One workaround would be for the user to utter, "Alexa, open YouTube" (or similar). This behavior occurs because the keyboard is fullscreen and obscures any browser UI that could provide an escape hatch (e.g. stock Android devices do not use a fullscreen keyboard and cannot deny service there). We are tracking the security issue on Bugzilla. The same root cause also causes an issue where the auto-opening fullscreen keyboard obscures feedback the website provides until the user closes the keyboard again: you can find that STR and our initial investigations into the root cause of this issue at firefox-connect#512. Unfortunately, this is hard for us to fix with WebView. We could write code to only display the keyboard for user interaction but this works around intended platform behavior and is likely complex and fragile (e.g. it's hacky to prevent the keyboard from opening at all, if it's possible). Do you have any suggestions about how we can fix this issue? Please note again this also happens in Silk. --- This does not appear to affect Firefox for Fire TV with the given STR.
Note that we may have control over this behavior (to prevent the keyboard from raising unless it was from a user action) with GeckoView.
This only denies service to the browser, not to the whole device.
Group: firefox-core-security → mobile-core-security
Firefox for Echo Show and Firefox Lite are no longer supported. This report has been closed because the projects are no longer accepting new contributions. See https://support.mozilla.org/en-US/kb/end-support-firefox-lite and https://support.mozilla.org/en-US/kb/end-support-firefox-amazon-devices
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
Group: mobile-core-security
You need to log in before you can comment on or make changes to this bug.