Closed Bug 1665334 (CVE-2025-10534) Opened 5 years ago Closed 11 months ago

MacOS WebRTC status bar menu site label can be abused for spoofing

Categories

(Firefox :: Site Permissions, defect, P3)

Product:
Firefox
Component:
Site Permissions
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
143 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- wontfix
firefox-esr140 --- wontfix
firefox141 --- wontfix
firefox142 --- wontfix
firefox143 --- fixed

People

(Reporter: emz, Assigned: emz)

References

Details

(Keywords: csectype-spoof, sec-low, Whiteboard: [adv-main143+])

Attachments

(2 files)

url-spoof-webrtc-menu.png
41.69 KB, image/png
Details
(secure)
48 bytes, text/x-phabricator-request
Details | Review

When a webRTC device is shared on macOS we show an indicator in the status bar. When the user clicks the icon we show a list of websites which use the device.
For example: "Sharing Microphone with "permission.site"".

Since we get this label from the website title (and only fallback to site URI), a website can set an arbitrary string, allowing for URL spoofing.

We set the label here:
https://searchfox.org/mozilla-central/rev/30e70f2fe80c97bfbfcd975e68538cefd7f58b2a/browser/modules/webrtcUI.jsm#1002

Here is the full string:
https://searchfox.org/mozilla-central/rev/30e70f2fe80c97bfbfcd975e68538cefd7f58b2a/browser/locales/en-US/chrome/browser/webrtcIndicator.properties#25-31

From the title? That's a pretty bad idea for the last 20 years...

But the permission granting dialog is still correct -- this is just after the fact. I guess title in case people have lots of tabs and can't find the right one? Still isn't the best idea and users should find the microphone icon on the tab itself too, right?

Keywords: csectype-spoof, sec-low

Yes, unless they share webRTC devices with multiple tabs with misleading titles it shouldn't be too hard to find the right one. Also, clicking on the menu items in the status bar will switch to the relevant tab and open the identity panel.

We can probably switch to showing a host port combination like the permission prompts do:
https://searchfox.org/mozilla-central/rev/5efefd3ef214ed6d3234ba245c1da3004ead94e0/browser/modules/PermissionUI.jsm#251

This will become more relevant now that Bug 1663784 is bringing the indicator + menu to Windows (and soon also Linux).

Priority: P2 → P3

We no longer show this UI for macOS.

Status: NEW → RESOLVED
Closed: 11 months ago
Resolution: --- → INVALID

Hey emz,

Are we sure this is RESOLVED INVALID? I still see the statusbar menu item on macOS (Sonoma), and can still reproduce the title issue. Also it looks like bug 1878147 means that we're not hiding the statusbar menu on modern versions of macOS.

Flags: needinfo?(emz)

Oh, I tested it wrong. I see the status bar now. Thanks for catching this!

Status: RESOLVED → REOPENED
Flags: needinfo?(emz)
Resolution: INVALID → ---
Attached file (secure)
Assignee: nobody → emz

https://hg.mozilla.org/mozilla-central/rev/df97fb3dbe13

Group: firefox-core-security → core-security-release
Status: REOPENED → RESOLVED
Closed: 11 months ago11 months ago
status-firefox143: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 143 Branch

The patch landed in nightly and beta is affected.
:emz, is this bug important enough to require an uplift?

For more information, please visit BugBot documentation.

Flags: needinfo?(emz)

The spoofing risk is relatively low so I'd rather just have this ride the train. Let me know if you think otherwise.

status-firefox142: fix-optionalwontfix
status-firefox-esr140: fix-optionalwontfix
Flags: needinfo?(emz)
QA Whiteboard: [sec] [qa-triage-done-c144/b143]
QA Whiteboard: [sec] [qa-triage-done-c144/b143] → [qa-triage-done-c144/b143]
Whiteboard: [adv-main143+r]
Whiteboard: [adv-main143+r] → [adv-main143+]
Alias: CVE-2025-10534
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: