Open Bug 1620920 Opened 3 years ago Updated 2 years ago

UI Spoofing: chrome.windows.create of WebExtensions can create a fullscreen window without a warning

Categories

(WebExtensions :: Frontend, defect, P3)

defect

Tracking

(Not tracked)

People

(Reporter: filedescriptor, Unassigned)

References

Details

(Keywords: csectype-spoof, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?] addons-ux)

Attachments

(2 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0

Description:
The chrome.windows.create API of WebExtensions has a state parameter which can be specified to "fullscreen". A window created with this will be opened in full screen mode without the indication of it being a web page in fullscreen. The API does not require any permission of WebExtensions and can be used to spoof the browser UI (and OS UI if you will).

Steps to Reproduce:

  1. Load the attached extension zip as a temporary add-on
  2. A fake Chrome UI will appear covering the full screen
Flags: sec-bounty?
Attached image normal_fullscreen.png

A normal webpage in fullscreen will have an indicator of the website's origin

Yeah there should be an indicator like it's shown on websites when the page goes into full-screen. Also, pressing ESC to exit doesn't seem to be supported to exit that window, which is probably intentional but it would be great if ESC could spawn the fullscreen indicator or something at least.

Anyway, I would argue that this is sec-low since it requires installation of a WebExtension which is already quite a big escalation of privilege.

Ultimately this isn't much worse than bug 1400252, IMO, which is public. So it's probably fine to open this up, but I'll wait for a second opinion.

Status: UNCONFIRMED → NEW
Type: task → defect
Component: Security → Untriaged
Ever confirmed: true
Product: Firefox → WebExtensions
See Also: → 1400252

From a somewhat related discussion: https://bugzilla.mozilla.org/show_bug.cgi?id=1296365#c4

It seems that popups have their own "security indicator" that always shows the true URL in the window title, so I would say that's somewhat mitigated (although I think not enough).

We should consider preventing extensions doing content-full-screen mode like this, and instead make it chrome-full-screen mode. This way, the tabstrip and urlbar will be visible.

The other consideration would be to make sure that full-screen controls work appropriately, which would be more Chrome compatible.

We don't feel this is a security issue at this time.

ni?Fallen to look into this further.

Flags: needinfo?(philipp)
Group: firefox-core-security

We discussed this at length.

Firefox doesn't show any panel for this full screen mode, primarily because it requires user interaction to get into it.
We cannot backtrack and require user input for this particular option since that would break extensions.
So we would have to add an extension-specific panel, similar to the in-content-fullscreen mode.

After trying the example extension, I think we need to do something here, as it does provide a fullscreen appearance. It is not in-content fullscreen, but given the combination of options, they are acheiving somethign we should probably disallow. For this particular combination (panel + fullscreen), it might be ok to require user interaction. We could also simply disallow the combination.

chrome.windows.create({ url, type: 'panel', state: 'fullscreen' })

Thanks for the update! That comment seems reasonable :)

Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is -- (Backlog,) indicating it has has not been previously triaged, the bug's Severity is being updated to -- (default, untriaged.)

Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is -- (Backlog,) indicating it has has not been previously triaged, the bug's Severity is being updated to -- (default, untriaged.)

Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is -- (Backlog,) indicating it has has not been previously triaged, the bug's Severity is being updated to -- (default, untriaged.)

Severity: normal → S3

The severity of these bugs was changed, mistakenly, from normal to S3.

Because these bugs have a priority of --, indicating that they have not been previously triaged, these bugs should be changed to Severity of --.

Severity: S3 → --
Severity: -- → S3
Priority: -- → P3
Component: Untriaged → Frontend
Flags: sec-bounty? → sec-bounty-
Flags: needinfo?(philipp)
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?] addons-ux
You need to log in before you can comment on or make changes to this bug.