Open Bug 1557128 Opened 6 years ago Updated 3 years ago

WebAuthN on Android Exynos S8 shows a blank window if there's no U2F token available (Nightly 69)

Categories

(Core :: DOM: Web Authentication, defect, P3)

Product:
Core
Component:
DOM: Web Authentication
Platform:
ARM64
Android
Type:
defect

Tracking

()

People

(Reporter: kang, Unassigned)

Details

  1. Start a phone which I suspect is WITHOUT a compatible secure element (Galaxy S8 with Exynos CPU for example which is what I'm using here - I believe the hardware is compatible but it doesn't expose that feature, or maybe its because i have Knox off) - clear firefox nightly storage, kill app, clear again - restart device! (its a little difficult to get in this state correctly, but following these steps I get it reproduced)

  2. Install latest Firefox Nightly

  3. go to https://webauthn.io and try to register

  4. get a blank window with no one to navigate away (that's the bug)

You can either wait 60s for timeout or kill firefox at this point.

Note, if you repeat the same steps with a U2F token inserted (e.g. yubikey 5 in the USB-C slot), everything will work fine, and if you repeat after doing so without the U2F token inserted everything still works fine. You need to wipe your profile to reproduce at this point.

In other words this seems like a state issue when the phone has no secure element or token inserted the first time the dialog is triggered.

Finally, I tested on latest Chrome release which does not have this issue. Instead it gives me a list of options such as Bluetooth enabled token, USB tokens, etc. (Firefox, even when functional only proposes the USB token I've last inserted)

Note: it seems to also "fix it" when i plug any other USB-C device in, not just a U2F token

Another interesting thing: if i reboot the phone entirely, even after it worked once, i get the white window again

Attached file logcat_filtered.txt

im not sure if theres personal info leaking through this log so i restricted the bug just in case

Group: mozilla-employee-confidential, core-security

The relevant parts of that log are the first ~80 lines and the last ~100. Everything else consists of exceptions processing what appears to be the empty profile. I do not see any sensitive information.

Unfortunately, the only log entries related to WebAuthn is the timeout, printed from here:

https://searchfox.org/mozilla-central/source/mobile/android/base/java/org/mozilla/gecko/util/WebAuthnUtils.java#257

This indicates to me that we ceded control to the Fido2 intent from Fido2ApiClient for a time, and then that intent reached timeoutMS and aborted.

That Android's intent didn't show UX is puzzling. We don't do anything that might vary based on system state before calling into Fido2ApiClient.

I can't reproduce. Andrei, have you seen anything like this in your testing?

Flags: needinfo?(andrei.bodea)
QA Contact: andrei.bodea

When I get the buttons correctly displayed, I also get the timeout msgs from WebAuthN in logcat
I added a few details to comment 1 to reproduce this more reliably as well. I'm also getting an S9 from ebay this weekend if USPS delivers it, with a qualcomm CPU so Ill see if I can reproduce it there

Finally, I don't have any empty Firefox profile - but its a very old profile so it probably has some cruft in it. I did try on a fresh profile with a new Android user and could also reproduce it (its painful to test that one on my personal phones though :)

Group: core-security → dom-core-security

Hello @J.C I wasn't able to reproduce this issue during my tests and I tried it today, everything worked as expected.
During my tests i will try to investigate this issue and come back with information in case I find something useful.

Thanks,
Andrei

Flags: needinfo?(andrei.bodea)

Thanks!

Kang - I've marked the attachment as private. Can we open up the rest of the bug?

Flags: needinfo?(gdestuynder)

yup please open it up :)

I have tested on a snapdragon S9 now that I have one and could not reproduce. I only have this issue on the Exynos S8.

Flags: needinfo?(gdestuynder)

I'll have to find someone else to remove the DOM Security Bug status.

Group: mozilla-employee-confidential
Summary: WebAuthN on Android shows a blank window if there's no U2F token available (Nightly 69) → WebAuthN on Android Exynos S8 shows a blank window if there's no U2F token available (Nightly 69)

Marking P3 since it seems limited, minor since there's a known workaround.

Severity: normal → minor
Priority: -- → P3
Group: dom-core-security
Severity: minor → S3
You need to log in before you can comment on or make changes to this bug.