Closed Bug 1707956 Opened 4 years ago Closed 2 years ago

Firefox for Android Entering Fullscreen Snackbar Notification Spoof using Dialogs or Text Selection Menu

Categories

(Fenix :: Toolbar, task, P3)

Product:
Fenix
Component:
Toolbar
Platform:
Unspecified
Android
Type:
task

Tracking

(firefox113 fixed)

Status:
RESOLVED FIXED
Milestone:
112 Branch
Tracking Flags:
Tracking Status
firefox113 --- fixed

People

(Reporter: sourc7, Unassigned)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [fixed by bug 1816059][reporter-external] [client-bounty-form] [verif?])

Attachments

(9 files)

spoof.1.html
53.46 KB, text/html
Details
Screenrecorder-2021-04-27-23-15-33-329.mp4
689.35 KB, video/mp4
Details
Chrome for Android - Toast Spoof Test
1.16 MB, video/mp4
Details
top toolbar offset
121.65 KB, image/png
Details
light/dark mode difference
131.27 KB, image/png
Details
spoof.dialog.html
53.65 KB, text/html
Details
Fenix - Snackbar Spoof using Dialog.mp4
1.56 MB, video/mp4
Details
Fenix - Snackbar Spoof using Dialog - Pixel 2.mp4
335.17 KB, video/mp4
Details
spoof.dialog+mozinnerscreen.html
53.90 KB, text/html
Details
Attached file spoof.1.html

After invoke Element.requestFullScreen() method using JavaScript, Firefox Fenix will show fullscreen snackbar notification with message "Entering full screen mode" so that end user is aware (to prevent spoofing).

Surprisingly I found that Android text selection menu (from Android 6.0) able to overlap Firefox Fenix entering fullscreen snackbar. When user select text from the web, the text selection menu (e.g. Cut, Copy, Paste, Search, and Share) will overlap the Fenix snackbar notification.

On Chrome for Android, the fullscreen notification toast is shown in front of text selection menu, so spoofing/hiding the fullscreen notification toast is not possible.

Version tested:

  • Firefox Nightly 90.0a1 Build ID 20210424090050
  • Firefox 88.0.1 Build ID 20210426133657

Steps to Reproduce:

  1. Visit attached spoof.1.html
  2. Tap "Sign in with Google" input element
  3. Fullscreen notification overlapped by text selection menu
Flags: sec-bounty?
Group: firefox-core-security → mobile-core-security
Component: Security → Security: Android
Product: Firefox → Fenix

Confirmed behavior with bottom toolbar in portrait orientation and in dark mode. The fullscreen text is covered in light mode. The toolbar color switching may clue the user into something odd has happened. The attacker could use prefers-color-scheme to make an intelligent guess here and provide a likely asset. The attack does not work if the user has toolbar set to top. I don't believe web APIs provide any way to detect this preference. The attack does not fully work in landscape mode. I also suspect devices with different aspect ratios may see the entering fullscreen mode text. These flaws could be worked around by the attacker with some wider testing of the attack and additional code.

Attached file spoof.dialog.html

When call JS method alert() or confirm() on Firefox for Android, it will show the floating message dialog with Android native Dialogs.

I also found that when the requestFullScreen() method called simultaneously with JS dialog alert() or confirm(), the fullscreen snackbar notification is also overlapped by the Android Dialogs.

Summary: Firefox for Android Entering Fullscreen Snackbar Notification Spoof using Text Selection Menu → Firefox for Android Entering Fullscreen Snackbar Notification Spoof using Dialogs or Text Selection Menu

On some device (reproduced on Pixel 2 API 29 Android Emulator), the fullscreen snackbar is fully overlapped by the Android Dialog, so user won't notice the notification.

Probably "sec-moderate". Will look at some equivalent past Chrome bugs to see if that's the right ball-pack. Seems at least a little worse than a sec-low spoof (presumably the full-screen image would then contain a fake toolbar)

Keywords: csectype-spoof, sec-moderate

(In reply to Kevin Brosnan [:kbrosnan] from comment #3)

Confirmed behavior with bottom toolbar in portrait orientation and in dark mode. The fullscreen text is covered in light mode. The toolbar color switching may clue the user into something odd has happened.

Thanks Kevin for confirming and the detailed analysis.

The attacker could use prefers-color-scheme to make an intelligent guess here and provide a likely asset.

Yes, with prefers-color-scheme it able to know the user device theme.

The attack does not work if the user has toolbar set to top. I don't believe web APIs provide any way to detect this preference.

I found a workaround to detect this using window.mozInnerScreenY the value differ significantly when the toolbar set to top and set to bottom.

I noticed using a few different phone and Android Emulator when toolbar set to top the mozInnerScreenY value is set above ~80, then when toolbar set to bottom the mozInnerScreenY value is set below ~40. This can be a reliable way to detect the position of the user's toolbar.

The attack does not fully work in landscape mode.

On landscape mode by using spoof.dialog.html it can partially cover the fullscreen notification, however the results is depending on device screen, on smaller screen it can fully cover the fullscreen notification (tested on Android Emulator - 4 WVGA (Nexus S) API 29).

I also suspect devices with different aspect ratios may see the entering fullscreen mode text. These flaws could be worked around by the attacker with some wider testing of the attack and additional code.

Now with spoof using Android Dialogs spoof.dialog.html it can fully cover the fullscreen mode text, which more reliable than text selection menu

Following the dialog spoof testcase with added combination of prefers-color-scheme which detect toolbar theme and mozInnerScreenY which detect toolbar position.

OS: Unspecified → Android

sec-moderate -> P3

Priority: -- → P3

sec-moderate -> S3

Severity: -- → S3
Component: Security: Android → Toolbar

Tasks should have severity N/A.

Severity: S3 → N/A

Hi Dan or Tom, I see Firefox on Android is now using Android native Toast instead of Custom Toast view or snackbar.

Last year I've reported to Chrome VRP they do affected by same issue, then they are finally switching back to Android native Toast to fix the issue.

As Firefox on Android already switched to Android native Toast this issue has been fixed. The commit link that fixes the issue is https://github.com/mozilla-mobile/firefox-android/pull/1278, then I look at Mozilla advisory it fixed at "CVE-2023-29534: Fullscreen notification could have been obscured on Firefox for Android".

I hope this one is also rewarded and took same severity because I've reported this very early than Bug 1816059.

Flags: needinfo?(tom)
Flags: needinfo?(dveditz)

So you're saying this is fixed also? (seems to check out)

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox113: --- → fixed
Flags: needinfo?(dveditz)
Resolution: --- → FIXED
See Also: → CVE-2023-29534
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [fixed by bug 1816059][reporter-external] [client-bounty-form] [verif?]
Target Milestone: --- → 112 Branch
Group: mobile-core-security → core-security-release
Depends on: CVE-2023-29534
Flags: sec-bounty? → sec-bounty+
Flags: needinfo?(tom)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: