able to upload files using the system file picker when Firefox's file permission is denied
Categories
(Firefox for Android Graveyard :: General, task)
Tracking
(Not tracked)
People
(Reporter: yogeshjadhavfyjc, Unassigned)
Details
(Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(6 files)
The issue is very critical which is gives the access to the website without permission.
Steps to produce
- Open a this website which as follow
https://www.virustotal.com/gui/home/upload - Which want permission to select file but if user deny the every alert statment from the pop.
- It gives the access to select file from the store data.
- Which is highly critical vulnerabilities that it allows the permission to access the data without his/her permission.....
- It is the fault of the Mozilla Firefox app that giveing such acess without any permission.
- Also it is happening here on this website on this page where i can browse the file if i deny this it gives the pop here i am attaching the screenshots also....
https://bugzilla.mozilla.org/enter_bug.cgi?format=web-bounty&product=mozilla.org
Comment 1•5 years ago
|
||
Hi Yogesh,
Can you please explain this issue more clearly? Exactly which permission(s) are you not granting, when you attempt to upload a file? Would it be asking permission to access the device's microphone or camera instead? (in case you may want to upload a photo or video just taken instead of an existing one from the device storage).
I am asking because the "toast" notification in the bottom of the screen says: "reverting to the system file picker". Also what version of Firefox are you using?
Either way I am going to defer to mobile folks on this one.
Comment 2•5 years ago
|
||
Comment 3•5 years ago
|
||
Comment 4•5 years ago
|
||
Comment 5•5 years ago
|
||
Comment 6•5 years ago
|
||
Comment 7•5 years ago
|
||
I attached screenshots of what the flow looks like for me, which is basically:
- Open website, hit the 'Choose file' button
- Android asks me 'Allow Firefox to take pictures and record videos', which I deny.
- Android asks me 'Allow Firefox to access photos, media and files on your device' , which I also deny.
- I am then presented with the system file picker, and I can succesfully upload a file from my device
Summarized: Even when you deny the permission to access device data, should the "Upload file" button present the system file picker?
This is definitely unexpected and I am not entirely sure if this works as expected or not.
Comment 8•5 years ago
|
||
Yogesh, thank you for filing this bug. Please give us some time to explore and come back with an answer.
Comment 9•5 years ago
|
||
Asking feedback about expected behaviour here from James and Sebastian.
Comment 10•5 years ago
|
||
This sounds like bug 1538270. Not worth being behind a security flag.
Updated•5 years ago
|
Comment 11•5 years ago
|
||
Do you see a toast message? Required permissions not granted, reverting to system file picker.
I get this on Android 9.
Comment 12•5 years ago
|
||
Kevin, are you sure, I am getting the exact same behaviour on 68.2b6
Updated•5 years ago
|
Comment 13•5 years ago
|
||
I do see the toast now. That toast is impossible to see if it sits on top of a file listing. Was the conclusion of this bug that the behaviour is correct?
Comment 14•5 years ago
|
||
Yes. Firefox is not bypassing any permissions. As I understand this is using Android intents, we ask Android for a file browser and the file browser provides the individual file to upload to Firefox.
Comment 15•5 years ago
|
||
Marking this as WONTFIX as we are confident this works as expected on 68.2, which will ship soon.
Comment 16•5 years ago
|
||
Actually, I'll make this bug a dupe of 1538270 - thanks for that reference Kevin.
Reporter | ||
Comment 17•5 years ago
|
||
yes if you don't allows means deny that permission then it will check proportinally and it can directly open your gallary and sends the file whatever you select.
not only it is happening on the mentioned website but also it happening here. when you try to send screenshot and all that time when it gives you to allow the access with your storage and send the pictures
Reporter | ||
Comment 18•5 years ago
|
||
not only with the website i mensioned but it is happening here if you try to attach the file first time and you denied.
It should denied and go back but it takes the access and give you the permission to select file.
my question is HOW? and WHY?.
the fault is not from android system it is only happening in the firefox only.
and if youll not do anything and if the play store get this information then they can boycott you from play-store because your browser is going out of there terms and conditions where you are accessing the users DATA without there permission. Your browser taking the charge of there phones.
Comment 19•5 years ago
|
||
Please see the discussion in bug https://bugzilla.mozilla.org/show_bug.cgi?id=1538270
Comment hidden (duplicate) |
Reporter | ||
Comment 21•5 years ago
|
||
I saw that report but anywhere i didn't get any resolution of that bug on that all reports and communication.
Do you get that or not??
Not?? I have the resolution..if you'll ask... For it...??💸💸💸
Yes??? When it will come because i am going to report it on google play security that you are affected by this bug where users information and data is able to see without permission of user...
Comment 22•5 years ago
|
||
The behavior is the same as Chrome on Android (except ours has a message added in bug 1538270). Does not qualify for a security bounty.
Assignee | ||
Updated•3 years ago
|
Description
•