Closed Bug 1642747 (CVE-2021-23958) Opened 4 years ago Closed 4 years ago

It's possible to screen-capture the next tab after tab close

Categories

(Firefox :: Site Permissions, defect, P2)

defect

Tracking

()

VERIFIED FIXED
86 Branch
Tracking Status
firefox-esr78 - wontfix
firefox83 --- wontfix
firefox84 --- wontfix
firefox85 + verified
firefox86 + verified

People

(Reporter: jib, Assigned: pbz)

References

(Blocks 1 open bug, )

Details

(Keywords: csectype-disclosure, privacy, sec-moderate, Whiteboard: [adv-main85+])

Attachments

(2 files, 1 obsolete file)

From bug 1641802 comment 4, when screen-capturing the Firefox window (or the "Entire screen" with Firefox on it), JS may capture a split second after tab close, capturing the next tab shown. This is not POLA, and could be exploited to put users' privacy at risk.

STRs:

  1. Open a random victim tab, e.g. https://gokitty.com
  2. Open https://fiddle.jshell.net/jib1/0sjrmkuh/show
  3. Click the Capture screen! button, and select the Firefox window (or Entire Desktop) + Allow
  4. Close the fiddle tab.
  5. Re-open the fiddle tab.

Expected result:

  • A screen-grab of the fiddle tab

Actual result:

  • A screen-grab of gokitty.com

I've tried it on both Windows 10 and macOS 10.15.4. My success-rate is about 1/5 times.

Similarly, I've tried sending the capture to another tab over WebRTC (open this in two tabs), but not had success reproing that way. Although, this being timing-related, we perhaps shouldn't rule it out.

The repro fiddle doesn't work in release for some reason (uncaught exception: Object), it's unclear why. But this weakness is most likely not a regression, and an exploit that works in release could presumably be written.

The severity field is not set for this bug.
:pbz, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(pbz)
Flags: needinfo?(jhofmann)

Thanks! I'll have a look.

Assignee: nobody → pbz
Severity: -- → S3
Status: NEW → ASSIGNED
Flags: needinfo?(pbz)
Priority: -- → P2

I think Paul is still looking at this, I don't have the bandwidth right now :)

Flags: needinfo?(jhofmann)
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch
Group: firefox-core-security → core-security-release
Flags: in-testsuite+

The patch landed in nightly and beta is affected.
:pbz, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(pbz)

Comment on attachment 9187173 [details]
Bug 1642747 - Don't blur closing active tab early if screensharing. r=johannh

Beta/Release Uplift Approval Request

  • User impact if declined: Users expects screen sharing to end immediately when they close a tab with active screen sharing. With this bug sites can briefly capture contents of the next tab before the screen sharing ends, potentially violating the users privacy.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: See STR from comment 0. Working test url is: https://jsfiddle.net/jib1/0sjrmkuh/show
    The issue is intermittent, however I was able to reproduce it after a couple of tries on my Windows VM.
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Small patch and we only change behavior for closing active tabs with screen sharing. I've added a test to ensure we don't break tab closing for the screen sharing scenario.
    Since the bug is quite intermittent we don't have test coverage for the bug itself.
  • String changes made/needed:
Flags: needinfo?(pbz)
Attachment #9187173 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Comment on attachment 9187173 [details]
Bug 1642747 - Don't blur closing active tab early if screensharing. r=johannh

approved for 85.0b5

Attachment #9187173 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [qa-triaged]

Reproduced the initial issue using old Nightly from 2020-06-02, verified that his is no longer an issue using Firefox 85.0b5 and Latest Nightly from today across platforms (Windows 10, macOS 11 and Ubuntu 18.04). Keeping qe-verify+ flag until this will be fixed in ESR as well.

Is this worth uplifting to ESR78? Please nominate for approval if so; it grafts cleanly.

Flags: needinfo?(pbz)

Let's stick to 85 release for now and check back next cycle to ensure we don't regress. Leaving NI for that.

Whiteboard: [adv-main85+]
Attached file advisory.txt (obsolete) —
Attached file advisory.txt
Attachment #9198098 - Attachment is obsolete: true
Alias: CVE-2021-23958

Haven't spotted any regressions from this patch in 85, so uplifting to ESR is an option. However, looking at the uplift request form I can see that we usually only uplift sec-high and sec-crit. I don't see how this bug would be an exception to that.
Happy to discuss this further if you have concerns.

Flags: needinfo?(pbz)
Status: RESOLVED → VERIFIED
QA Whiteboard: [qa-triaged]
Flags: qe-verify+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: