Closed Bug 1680793 (CVE-2021-23963) Opened 4 years ago Closed 4 years ago

Geolocation sharing state overwrites WebRTC sharing state

Categories

(Firefox :: Site Identity, defect)

Product:
Firefox
Component:
Site Identity
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
86 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox83 --- wontfix
firefox84 --- wontfix
firefox85 --- verified
firefox86 --- verified

People

(Reporter: emz, Assigned: emz)

References

(Regression)

Details

(Keywords: regression, sec-low, Whiteboard: [adv-main85+])

Attachments

(3 files, 1 obsolete file)

Bug 1680793 - Do not overwrite the webRTC sharing state when updating other sharing states. r=johannh
47 bytes, text/x-phabricator-request
jcristau
: approval-mozilla-beta+
Details | Review
Bug 1680793 - Added test for gBrowser#updateBrowserSharing. r=johannh
47 bytes, text/x-phabricator-request
jcristau
: approval-mozilla-beta+
Details | Review
advisory.txt
281 bytes, text/plain
Details

When we have an active sharing state for WebRTC and then begin sharing geolocation, updateBrowserSharing resets the webRTC sharing state: tab._sharingState.webRTC = null:
https://searchfox.org/mozilla-central/rev/6bb59b783b193f06d6744c5ccaac69a992e9ee7b/browser/base/content/tabbrowser.js#1392

This results in the microphone/camera indicator in the tab, the identity section and in the siteIdentity popup permission list to disappear. The global WebRTC indicator is not affected.

In theory this could be abused, but it's rather an edge case. The user would have to first accept the webRTC sharing permission prompt and then the geolocation prompt.

This feels like sec-moderate to sec-low since it's definitely a big spoofing/tricking issue but also one that requires the user to consent to camera access in the first place (which is quite a big barrier to cross). Additionally there are global hardware and software indicators on most systems that alert you about the camera usage.

Keywords: sec-low

The patch landed in nightly and beta is affected.
:pbz, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(pbz)

Comment on attachment 9191358 [details]
Bug 1680793 - Do not overwrite the webRTC sharing state when updating other sharing states. r=johannh

Beta/Release Uplift Approval Request

  • User impact if declined: If a user grants access to WebRTC (mic, camera, or screen) and then geolocation the indicators for the WebRTC sharing disappear. This is a security risk, because it can give the user the impression that they are no longer sharing their device via WebRTC. The affected sharing indicators are: Tab icon (for background tabs), site identity icon, permission icon in the identity popup permission list. The global WebRTC sharing indicator (window) is not affected by this bug.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: 1. Go to https://permission.site
  1. Click on Microphone, Camera, or Camera + Microphone, select a device and click "allow"
    There should be a blinking WebRTC indicator icon in the identity icon section (next to the lock) and in the permission list of the identity popup
  2. Click on "Location" and allow access
    There should now be indicators for both the geolocation and the webRTC access.
  • List of other uplifts needed: None
  • Risk to taking this patch: Medium
  • Why is the change risky/not risky? (and alternatives if risky): The patch updates the device sharing UI code and could break our device sharing indicators as well as permission list entries for temporary geolocation / webRTC grants.
    However the code change is rather small and it now has improved test coverage.
  • String changes made/needed:
Flags: needinfo?(pbz)
Attachment #9191358 - Flags: approval-mozilla-beta?
Attachment #9191649 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Comment on attachment 9191358 [details]
Bug 1680793 - Do not overwrite the webRTC sharing state when updating other sharing states. r=johannh

approved for 85.0b3

Attachment #9191358 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9191649 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [qa-triaged]

Hello!
Reproduced the initial issue with Firefox 85.0a1 (20201204162120) on Windows 10x64 while following the steps from comment 6. After allowing the camera or camera+ microphone and then allowing the geolocation the WebRTC camera indicator was hidden.
The issue is verified fixed with Firefox 86.0a1 (20201217214927) and 85.0b3 (20201217185930) on Windows 10x64, macOS 10.12 and Ubuntu 18.04. The camera WebRTC icon is still displayed after allowing geolocation.

Status: RESOLVED → VERIFIED
status-firefox85: fixedverified
status-firefox86: fixedverified
Flags: qe-verify+

Seems low-impact enough that we don't need to take this on ESR. Feel free to nominate if you feel strongly otherwise.

status-firefox-esr78: affectedwontfix
Whiteboard: [adv-main85+]
Attached file advisory.txt (obsolete) —
Attached file advisory.txt
Attachment #9198100 - Attachment is obsolete: true
Alias: CVE-2021-23963
Group: core-security-release
Has Regression Range: --- → yes
Keywords: regression
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: