Closed Bug 1561419 Opened 5 years ago Closed 5 years ago

The permission pop-up window is subject to clickjacking attack

Categories

(Firefox for Android Graveyard :: Web Apps (PWAs), defect)

Product:
Firefox for Android Graveyard
Component:
Web Apps (PWAs)
Version:
Firefox 67
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1147265

People

(Reporter: haorlu, Unassigned)

Details

Attachments

(1 file)

Figure 1 and 2.png
170.57 KB, image/png
Details
Attached image Figure 1 and 2.png

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Safari/605.1.15

Steps to reproduce:

Dear Firefox team,

We're a security research group at Indiana University. Recently we studied Firefox Android and discovered a critical clickjacking-style security flaw in its permission authorization affecting both the Firefox (67.0.3) and Android 9. On exploiting the flaw, a malicious Web App can access the private and sensitive information and resources (e.g., camera, microphone, location) of users bypassing Firefox permission authorization [1]. Besides, a malicious Android app can stealthily get such sensitive information and resources of Web App users without acquiring any related Android Permissions [5], such as android.permission.ACCESS_COARSE_LOCATION. This security flaw breaks the security of both the Android OS and Firefox. Note that we reported the same problem to Chrome, which has been confirmed(CVE-2019-5767) and fixed[4].

Background

On Android, Firefox defines several permissions to authorize a Web App and shows a popup window asking for user authorization as shown in Figure 1.

On Android, the “SYSTEM_ALERT_WINDOW” permission allows an Android app to draw arbitrary overlays on top of other Android apps. This permission is common and used by a lot of popular applications including Facebook, Twitter, 1Password, Wechat, etc. Note that this permission is even granted automatically to apps downloaded from Google Play store under either of the following conditions:
the app has a target API version less than 23,
the app had a target API version less than 23 and was installed by users. Later even if the installed app updates to a version with target API no less than 26 (recently Google Play requires new uploaded/updated apps to have target API version of 26 or higher [7]), the app remains possession of the permission silently after the update.

The clickjacking-style Problem (Attack Scenario 1)

A malicious Web App can stealthily acquire sensitive permissions from Firefox, bypassing the authorization pop-up (Figure 1) with the help of a colluding Android native app which has the “SYSTEM_ALERT_WINDOW” permission. Once a malicious Web App is to trigger the authorization pop-up, it informs the malicious Android App, so the Android App immediately draw an overlay atop the authorization pop-up. The overlay covers the fact of authorization, and the victim is lured to click the “Share” button which indeed grants permission to the Web App. The Web App is then permitted to silently access victim users’ sensitive information or resources, (e.g., location, camera, microphone).Our video demo [2] shows the stealthiness of such an attack (we made the demo using Chrome which fixed the problem after our report, referred to by CVE-2019-5767; we have confirmed that Opera has the same problem). This flaw is partially attributed to the lack of adequate UI protection provided by the Android. In particular, as a third party app, it could be very difficult for Firefox to detect or remove the overlay of other Android apps.

Attack Scenario 2

A malicious Android app with only “SYSTEM_ALERT_WINDOW” permission can launch a colluding Web App at any time and hide the launching process with an overlay. The malicious Web App, running but hidden under the overlay, will exploit the aforementioned clickjacking flaw and silently get permission from Firefox to access sensitive information and resource, which can be supplied them back to the malicious Android app. From the user’s perspective, he or she remains in the Android app with only “SYSTEM_ALERT_WINDOW” permission, but this app silently gets access to the user’s sensitive information and resources via a Web App, such as location, voice recorder, camera. We attach a video [3] to better demonstrate this attack (again using Chrome which fixed the problem after our report, referred to by CVE-2019-5767; Firefox has the same problem).

Discussions

Note that a typical Android app cannot use “SYSTEM_ALERT_WINDOW” permission and the cover of overlays to get additional Android permissions [5]. This is because Android’s permission authorization window (Figure 2) will clear any overlay on top of it when displayed. This permission authorization window is owned by the Android OS and takes advantage of a private permission “HIDE_NON_SYSTEM_OVERLAY_WINDOWS” [6] to clear the overlay on its top. Unfortunately, such permission is not currently available to third-party apps.

However, in Attack Scenario 2, a malicious Android app takes advantage of Chrome and a colluding Web App to get additional capabilities (e.g., permissions to access users’ locations, microphone) which are equivalent to Android permissions (e.g., ACCESS_FINE_LOCATION to access users’ locations, android.permission.RECORD_AUDIO to record audio).

For both attack scenarios, the aforementioned malicious Web App could be successfully opened by Firefox. Besides, the malicious Android apps we used to demonstrate the problems could also be published successfully on Google Play and other major app stores of Android, such as Amazon app store.

We believe the security flaw has high security and privacy impacts since a malicious Web App and Android app can stealthily access Web App users’ sensitive information and resources without user authorization or awareness.

Please let us know if you need more information.

Haoran Lu, Yifan Zhang, Luyi Xing, Xiaojing Liao
Indiana University Bloomington
06/24/2019

Reference

[1]. Web App Permission, https://support.mozilla.org/en-US/kb/how-manage-your-camera-and-microphone-permissions

[2]. Security Flaw 1 Demo Video, https://drive.google.com/open?id=1U3T_c44eFMWWqtA9Lq3kWRcLoKiBS9Xk

[3]. Security Flaw 2 Demo Video, https://drive.google.com/open?id=18IjtY2XcYGHiXEwO8lPi0yz343etPJOF

[4] Problem Confirmed on Chrome,
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5767

[5]. Android Permissions, https://developer.android.com/reference/android/Manifest.permission

[6]. Private Permissions, https://android.googlesource.com/platform/frameworks/base/+/master/core/res/AndroidManifest.xml#2652

[7]. Google Play API Level Requirement, https://support.google.com/googleplay/android-developer/answer/113469#targetsdk

Actual results:

A malicious Web App can access the private and sensitive information and resources (e.g., camera, microphone, location) of users bypassing Firefox permission authorization [1].

Expected results:

The permission should not be granted when overlay is present atop the authorization pop-up.

Given this exact bug report is listed in https://bugs.chromium.org/p/chromium/issues/detail?id=902427 and bug 1147265 opening this up.

Group: mobile-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: