Show form reportValidity validationMessage on any website
Categories
(Toolkit :: UI Widgets, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox88 | --- | wontfix |
firefox89 | --- | wontfix |
firefox90 | --- | fixed |
firefox91 | --- | fixed |
People
(Reporter: sourc7, Assigned: enndeakin)
References
(Regression)
Details
(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main90+])
Attachments
(6 files)
After set reportValidity()
as canvas.toBlob
callback and set contenteditable
to true
, the reportValidity validationMessage will persist even the tab was closed. As the validationMessage is persist on the screen, after the tab was closed the validationMessage still show to previous active tab.
In this report I demonstrate I able to spoof validationMessage on Twitter then overlap the Twitter button intent (which press enter also works) to retweet/like the tweet.
As the validationMessage is showed on secure domain, user will likely trust the message is from the website, and the validationMessage will overlap Twitter button intent message so user won't notice that press enter will retweet/like the tweet.
Mozregression show it is regression of Bug 1684792, open form validation popup anchored at screen coordinate as datetime picker and select do so that it is positioned correctly in out of process iframes
Affected version:
- Firefox Nightly 90.0a1 (2021-05-27) (64-bit)
- Firefox Release 88.0.1 (64-bit)
Unaffected version:
- Firefox 78.10.1esr (64-bit)
Steps to Reproduce:
- Visit attached spoof.bundle.html
- Click "Spoof validationMessage" button
- Validation message appear on Twitter website
- If you're logged in then press Enter to like the tweet
Reporter | ||
Comment 1•3 years ago
|
||
Reporter | ||
Comment 2•3 years ago
|
||
Hereby I attached the testcase with invisible unicode symbol on custom validationMessage.
Reporter | ||
Comment 3•3 years ago
|
||
Comment 4•3 years ago
|
||
I can confirm this. When I try it the validation panel doesn't cover the twitter "like" confirmation as in the video, but it's still present and that's the heart of the problem. I assume in a real attack the differences could be researched and accounted for (OS? site custom zoom level? fonts?), and even if not, the panel contents will be assumed to come from the visibly showing site and could be used for various other spoofs.
Updated•3 years ago
|
Assignee | ||
Comment 5•3 years ago
|
||
Updated•3 years ago
|
Reporter | ||
Updated•3 years ago
|
Assignee | ||
Comment 6•3 years ago
|
||
Gijs mentioned that the security severity needs to be set to land this.
Updated•3 years ago
|
Comment 7•3 years ago
|
||
hide form validation popup when switching pages, r=Gijs
https://hg.mozilla.org/integration/autoland/rev/7324f82612ca091548dc32f2b2756a22c0a3d6b5
https://hg.mozilla.org/mozilla-central/rev/7324f82612ca
Comment 8•3 years ago
|
||
Does this want uplift to 90? And have you put the test up in a separate bug somewhere so we can land that after we ship the fix? :-)
Updated•3 years ago
|
Assignee | ||
Comment 9•3 years ago
|
||
Comment on attachment 9224284 [details]
Bug 1713259, hide form validation popup when switching pages, r=gijs
Beta/Release Uplift Approval Request
- User impact if declined: A page can popup up an invalid form with a custom message and then redirect to another page, possibly tricking the user into thinking they are on another page.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce: Automated test will be in another bug.
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky):
- String changes made/needed: None
Comment 10•3 years ago
|
||
Comment on attachment 9224284 [details]
Bug 1713259, hide form validation popup when switching pages, r=gijs
approved for 90.0b5
Comment 11•3 years ago
|
||
uplift |
Comment 12•3 years ago
|
||
Severity is on the low end of moderate, but the combination is clever and we are awarding a bounty for it. In this particular example it's not entirely convincing due to the ugliness of the prompt, but it might just confuse people enough to work.
"on top" elements strike again :-(
Updated•3 years ago
|
Updated•3 years ago
|
Comment 13•3 years ago
|
||
Updated•3 years ago
|
Updated•3 years ago
|
Updated•6 months ago
|
Description
•